Oracle attempt to hide serious cybersecurity incident from customers in Oracle SaaS service | by Kevin Beaumont - DoublePulsar

Oracle attempt to hide serious cybersecurity incident from customers in Oracle SaaS service Kevin Beaumont Follow 4 min read · Mar 31, 2025 348 6 Listen Share Being a provider of cloud SaaS (Software-as-a-service) solutions requires certain cybersecurity responsibilities — including being transparent and open. The moment where this is tested at Oracle has arrived, as they have a serious cybersecurity incident playing out in a service they manage for customers. Back on March 21st, Bleeping Computer ran a story around a threat actor named rose87168 claiming to have breached some Oracle services inside *.oraclecloud.com Press enter or click to view image in full size Oracle told Bleeping Computer, and customers, “There has been no breach of Oracle Cloud. The published credentials are not for the Oracle Cloud. No Oracle Cloud customers experienced a breach or lost any data” The threat actor then posted an archive.org URL and provided it to Bleeping Computer, strongly suggesting they had write access to login.us2.oraclecloud.com, a service using Oracle Access Manager. This server is entirely managed by Oracle: https://cyberplace.social/@GossiTheDog/114202395143978043 Oracle have since requested Archive.org take down the proof: Press enter or click to view image in full size The threat actor then provided a several hour long recording of an internal Oracle meeting, complete with Oracle employees talking for two hours: The meeting is viewable here and the transcript is here: https://github.com/j-klawson/oracle_breach_2025/blob/main/youtube_video_transcript.txt The two hour video includes things like accessing internal Oracle password vaults, and customer facing systems: Press enter or click to view image in full size I’ve masked the root passwords of Oracle’s systems Both Hudson Rock and Bleeping Computer were then able to confirm with Oracle customers that their data — including staff email addresses — was in data released by the threat actor: Oracle customers confirm data stolen in alleged cloud breach is valid Despite Oracle denying a breach of its Oracle Cloud federated SSO login servers and the theft of account data for 6… www.bleepingcomputer.com The threat actor, rose87168, is still active online and releasing data — and threatening to release more: They have also released data to cybersecurity threat intelligence providers. Get Kevin Beaumont’s stories in your inbox Join Medium for free to get updates from this writer. Subscribe Subscribe Remember me for faster sign in In data released to a journalist for validation, it has now become 100% clear to me that there has been cybersecurity incident at Oracle, involving systems which processed customer data. For example, the threat actor has publicly provided complete Oracle configuration files — current, too. As one example, they have provided Oracle webserver configuration files: Press enter or click to view image in full size All the systems impacted are directly managed by Oracle. Some of the data provided to journalists is current, too. This is a serious cybersecurity incident which impacts customers, in a platform managed by Oracle. Oracle are attempting to wordsmith statements around Oracle Cloud and use very specific words to avoid responsibility. This is not okay. Oracle need to clearly, openly and publicly communicate what happened, how it impacts customers, and what they’re doing about it. This is a matter of trust and responsibility. Step up, Oracle — or customers should start stepping off. Update 1 — Oracle rebadged old Oracle Cloud services to be Oracle Classic. Oracle Classic has the security incident. Oracle are denying it on “Oracle Cloud” by using this scope — but it’s still Oracle cloud services that Oracle manage. That’s part of the wordplay. Update 2 — although Oracle used the archive.org exclusion process to remove evidence of writing to one of the Oraclecloud.com webservers, they forgot to remove the 2nd URL (click picture for hyperlink). The threat actor’s email address Update 3 — Multiple Oracle cloud customers have reached out to me to say Oracle have now confirmed a breach of their services. They are only doing so verbally, they will not write anything down, so they’re setting up meetings with large customers who query. This is similar behaviour to the breach of medical PII in the ongoing breach at Oracle Health, where they will only provide details verbally and not in writing: Oracle Health breach compromises patient data at US hospitals A breach at Oracle Health impacts multiple US healthcare organizations and hospitals after a threat actor stole patient… www.bleepingcomputer.com https://www.bloomberg.com/news/articles/2025-03-28/oracle-warns-health-customers-of-patient-data-breach Additional information has come to light on the security issues with Oracle Classic aka OCI Gen1 - I am investigating. You can follow me on Mastodon for the latest updates, if you want: https://cyberplace.social/invite/hHiX8ntL or @gossithedog@cyberplace.social