According to two people with knowledge of the situation, Oracle has informed clients that a hacker gained access to a computer system and took old client login passwords. In the past month, the software provider has informed clients of two cybersecurity breaches.
Some clients were notified this week by Oracle employees that the attacker had obtained encrypted passwords, passkeys, and usernames, according to sources who spoke on condition of anonymity because they are not authorized to address the issue.
According to the sources, who also stated that the attacker requested an extortion payment from the organization, Oracle also informed them that the FBI and cybersecurity company CrowdStrike Holdings are looking into the matter. Customers were informed by Oracle that the infiltration is distinct from another hack that the company alerted some healthcare clients about last month, according to the sources.
Messages requesting for comment were not answered by an Oracle official. A CrowdStrike official directed inquiries to Oracle, while the FBI declined to comment.
When an unnamed individual started attempting to sell data online that they said they had stolen from the Austin, Texas-based company’s cloud servers last month, details regarding the compromised credentials began to surface. Oracle denied that its cloud storage offering had been compromised in response to these allegations, which Bleeping Computer had first published.
In a client statement obtained by Bloomberg News, the business claimed that there had been no Oracle Cloud breach. The credentials that have been made public are not for the Oracle Cloud. No data loss or breach occurred for any Oracle Cloud customers.
Oracle employees admitted to some customers this week that an intruder had gained access to what the firm referred to as a “legacy environment,” the sources said. Customers were told by the corporation that there was little risk associated with the stolen client credentials because the system had not been used for eight years, according to the sources.
Oracle client log-in credentials from as recently as 2024 were among the stolen data, according to a third individual with knowledge of the theft. Since they are not authorized to address the subject, the source likewise talked under the stipulation that their identity not be revealed.
Karl Sigler, senior security research manager at Trustwave SpiderLabs Threat Intelligence, said researchers from the cybersecurity firm Trustwave Holdings verified the data that was put up for sale online as being taken straight from Oracle. According to him, the pilfered content represents a “rich dataset” that hackers may utilize to send phishing emails and possibly take over users’ accounts.
