Oracle has confirmed a security incident involving “two obsolete servers,” but vehemently denies a breach of its Oracle Cloud Infrastructure (OCI). The company insists that no customer data or cloud services were compromised. This follows reports of a threat actor, rose87168, offering millions of data records for sale on BreachForums.
“Oracle would like to state unequivocally that the Oracle Cloud—also known as Oracle Cloud Infrastructure or OCI—has NOT experienced a security breach,” the company stated in customer notifications.
“No OCI customer environment has been penetrated. No OCI customer data has been viewed or stolen. No OCI service has been interrupted or compromised in any way.”
The leaked credentials originated from these obsolete servers, which were not part of OCI. Oracle claims the passwords were encrypted or hashed, preventing access to customer data. However, cybersecurity expert Kevin Beaumont points out that these servers were part of Oracle Cloud Classic, a rebranded older service.
“Oracle rebadged old Oracle Cloud services to be Oracle Classic. Oracle Classic has the security incident,” Beaumont stated.
“Oracle are denying it on ‘Oracle Cloud’ by using this scope — but it’s still Oracle cloud services that Oracle manage. That’s part of the wordplay.”
BleepingComputer independently verified that some of the leaked data, including email addresses and user names, is valid. This contradicts Oracle’s earlier statements that the published credentials were not associated with the Oracle Cloud.
Oracle email statement
The incident came to light after the threat actor shared data obtained from the end of 2024 and early 2025. Prior to this public disclosure, Oracle privately acknowledged the breach to some clients, describing it as affecting a legacy environment last used in 2017. However, the timeline of the breach and the validity of the leaked data challenge this characterization.
A cybersecurity firm, CybelAngel, reported that the attacker deployed a web shell and malware on Oracle Gen 1 (Oracle Cloud Classic) servers as early as January 2025. The attacker allegedly stole data from the Oracle Identity Manager (IDM) database, including user emails, hashed passwords, and usernames.
This incident highlights the importance of regularly decommissioning outdated systems and maintaining robust security practices across all environments, even legacy ones. The discrepancy between Oracle’s public statements and the confirmed validity of leaked data raises concerns about transparency and the potential for future vulnerabilities.
