Serious data breach at Oracle Cloud service – Hundreds of thousands of customer data exposed

In March 2025, a major data security incident occurred at Oracle's cloud services. Unknown hackers gained access to one of Oracle Cloud's login systems and stole a large amount of customer data. The leaked information included login credentials and other sensitive data, the authenticity of which was confirmed by several affected customers - meaning that the compromised data actually belonged to existing Oracle Cloud accounts -securityweek.com-. Oracle Corporation initially strongly denied that there had been an unauthorized intrusion, but evidence uncovered by independent security analysts quickly refuted the company's statements -hwsw.hu-. Eventually - although a public press release had not been issued as of the time of writing this article - Oracle was forced to privately acknowledge the incident to some of its customers. Below we will review exactly what happened, which systems were affected, how Oracle responded, the size and scope of the customer data leak, and what the possible security, legal, and business implications are.

What happened? – Details of the attack

At the end of March 1, a user with the pseudonym “rose87168” posted on a well-known hacker forum that he had hacked one of Oracle Cloud’s login servers (the login.us2.oraclecloud.com endpoint) and obtained the data of more than 140,000 Oracle Cloud customers hwsw.hu. According to him, the compromised database contained approximately 6 million rows of records, including many sensitive credentials. The information stolen by the hacker included:

• SSO (single sign-on) passwords, in encrypted form;

• Password hashes belonging to an LDAP directory;

• Java Key Store (JKS) key files – digital certificates and private keys;

• Oracle Enterprise Manager JPS keys (Java Platform Security keys, which are part of Oracle’s enterprise management system).

In a posting on a hacker forum, user “rose87168” details the data stolen from Oracle Cloud (6 million user records with SSO/LDAP credentials and keys) and offers to sell it.

According to the attacker, the SSO passwords were obtained encrypted, but he also has the files that can be used to decrypt these credentials. Similarly, LDAP password hashes can be cracked over time and with the right resources. The hacker offered to “list all the domains of the companies involved” in the leak – implying that he would be willing to remove certain companies’ data from the package for a certain amount of money as a form of blackmail before selling or making it public (the post says that companies can even pay to be left off the list). All of this indicates that the attack is of a supply chain nature: by compromising a cloud service provider, thousands of organizations worldwide were simultaneously put at risk.

What vulnerability was exploited? Independent expert analysis suggests that the attackers targeted an older generation of Oracle Cloud infrastructure, the so-called Oracle Cloud Classic platform -bleepingcomputer.com-. The indications are that the attackers exploited a previously identified flaw in Oracle’s own software: a known vulnerability in Oracle Access Manager (CVE-2021-35587) – this vulnerability was already disclosed in 2021, but Oracle apparently did not deploy the patch on its own cloud servers -theregister.com-. After the successful exploitation, the attackers presumably installed a webshell and other malicious components on the attacked server in order to maintain further access -bleepingcomputer.com-.

When did this all happen? Based on the investigations, the compromise may have begun as early as January 2025, when the attacker managed to penetrate the unprotected Oracle Cloud Classic server -bleepingcomputer.com-. The intrusion went unnoticed for weeks, with suspicious activity within Oracle's systems finally coming to light at the end of February. During this time, the perpetrator managed to export a significant amount of data from Oracle's cloud Identity Manager database - including user email addresses, usernames and hashed passwords. The attacker therefore not only breached the entry point, but also penetrated deeper into Oracle's cloud identity management system, potentially opening the way to additional systems.

Oracle's response - denial, evidence and later admission

Oracle's initial response to the incident was a categorical denial. After the post about the data sale appeared on the hacker forum on March 20, a few days later – on March 24 – an Oracle spokesperson issued an official statement stating that “there was no data leak in Oracle Cloud, the alleged credentials published do not belong to the Oracle Cloud service, and no Oracle customer lost data” hwsw.hu. The company clearly communicated that the hacker’s claims were unfounded and that no security incident had affected the cloud service. Despite the company’s firm denials, contradictory signs soon began to emerge. The sample data published by the hackers on the dark web was very convincing: several independent cybersecurity companies analyzed it and unanimously concluded that Oracle’s cloud systems had indeed been compromised hwsw.hu. At one point, the attacker even demonstrated that he could upload any file to an Oracle server, proving that he had actual access to the system -bleepingcomputer.com-. In addition, the data shared by the hacker as a sample included about 10,000 records of real customer information, which he also sent to several security firms as evidence. After reviewing this, several Oracle Cloud customers confirmed that the leaked data was real and came from their systems, and that it was the data of accounts used in a production environment -securityweek.com-. Some affected people reported that the leaked credentials could even access sensitive business data in their systems - meaning that the compromised user accounts had high-level privileges -securityweek.com-. This made it clear that, contrary to Oracle's claims, there was a real incident, and that the denial was just a waste of time.

As more evidence came to light, Oracle was forced to change its position, although it continued to minimize the issue in public. In the first days of April, the company began to confidentially notify some of its customers about what had happened hwsw.hu. According to these notifications, an attack had hit an “old server, used for eight years”, and outdated data on it may have been leaked – suggesting that the compromised credentials were old anyway and perhaps no longer relevant. Two customers also told the press that Oracle had contacted them with this explanation in the background hwsw.hu. However, the company has already admitted to a third customer that login data from 2024 (i.e. quite recent) was also involved in the leak hwsw.hu. This confusing communication suggests that Oracle itself was initially unsure of the nature of the leak, or was trying to make it appear smaller than it actually was.

In the meantime, it has also been revealed that Oracle has used external expert help: the cybersecurity company CrowdStrike was involved in the investigations, and the US Federal Bureau of Investigation (FBI) has also launched an investigation into the case hwsw.hu -theregister.com-. All this confirms that the company was taking the situation seriously in the background, even if it tried to maintain a different narrative towards the public. To date, Oracle has not issued a public incident report or apology; the company officially insists on the narrow interpretation that “it was not the Oracle Cloud (modern) platform” that was breached, but an “Oracle Classic” system, so according to them, there is still no formal question of a breach of Oracle Cloud -bleepingcomputer.com-. However, this can only be considered a semantic defense – in reality, the cloud service operated by Oracle was compromised, and a mass of customer data was exposed to unauthorized parties.

The extent of the stolen data and the range of customers affected

Based on current information, the Oracle Cloud data breach is enormous. The data set offered by the attacker contains approximately 6 million unique records, linked to hundreds of thousands of user IDs. It is estimated that more than 140,000 Oracle Cloud accounts (tenants) were compromised hwsw.hu – this practically means hundreds of thousands of Oracle Cloud customers (including both companies and their users). The scale of the case is illustrated by the fact that, according to security experts, organizations in about 90 countries worldwide were affected by the leak -securityweek.com-. Most of the affected companies are located in the United Kingdom, the United States, Italy, France and Germany – these countries have the highest proportion of customers using Oracle Cloud and who have now been compromised -securityweek.com-. Moreover, the leaked lists do not only include private companies, but also state and government agencies: expert analysis identified government domain names in the United States, the United Kingdom, Italy, as well as offices in Scandinavian and other European countries -securityweek.com-. This means that the attack affected a wide range of Oracle customers, from small startups to large enterprises to government institutions.

How sensitive is the stolen data? The leak primarily affected credentials (passwords, keys, identifiers), so it was not the business documents or financial data of customer companies that were directly exposed, but access to them. However, this does not mean that the risk of the incident is low. On the contrary: if attackers or other unauthorized parties use the obtained login details, they can penetrate additional systems at the affected organizations. Several customers have indicated that some of the compromised accounts had high privileges in the company infrastructure, such as access to internal databases or sensitive information -securityweek.com-. It is important to emphasize that although the passwords were exposed in encrypted/hashed form, this is only a temporary protection: with the appropriate expertise and computing capacity, these identifiers can be decrypted. The perpetrator himself has indicated on the hacker forum that he is working on cracking SSO passwords and is also interested in zero-day exploits (presumably intended as a barter for stolen data). All of this suggests that the data obtained is very valuable to malicious actors, and affected organizations should prepare for the worst.

For some Oracle customers, the exposure of their own data is already a tangible reality. Some companies only learned that their user accounts were affected after Oracle warned them internally (weeks after the scandal broke), while others checked the leaked sample files based on press reports and found their own employees’ data in them. Cybersecurity firm CloudSEK has also launched an online search tool where any organization can check whether they were affected by the leak (based on their data) -securityweek.com-. This also shows that the incident resonates extremely widely, and many companies are trying to find out if they could be affected.

Security implications and lessons

The Oracle Cloud incident provides several troubling security lessons. First, it highlighted that even the largest technology companies can make basic mistakes in security hygiene. In this case, Oracle failed to patch a known vulnerability in its own infrastructure -theregister.com- in a timely manner. This failure directly led to attackers being able to access the cloud network through old, “forgotten” servers. The lesson is simple: skipping regular security updates and audits can have fatal consequences even for a global giant. Oracle should definitely review its internal security processes after this, especially with regard to the maintenance of the environments used by its own software.

As for the security of the affected customers, the primary task for them is to remediate the damage. The credentials that Oracle has now admitted to leaking are a potential weapon in the hands of malicious attackers. All affected parties should immediately change their passwords, revoke/replace all keys and tokens associated with the affected user accounts, and conduct a comprehensive security audit (log analysis, search for possible additional signs of intrusion) of their systems. Security experts warn that with the acquired data, attackers could launch targeted phishing campaigns or try to take control of accounts in other services, such as -ainvest.com- – especially if the same or weak passwords were used somewhere. So the risk goes beyond the specific Oracle Cloud incident: other systems and services could also be compromised if the stolen credentials are misused (for example, corporate email accounts, VPN accesses, etc. can be hacked with the same password).

Oracle’s initial communication delay also had important security consequences. Since the company initially denied everything, many customers may have been lulled into a false sense of security and did not immediately start incident management steps. In all such cases, rapid notification is critical – both because of legal requirements (see GDPR), and so that those affected can take the necessary precautions as soon as possible. The current situation highlights that procrastination and obfuscation increase risks: it gives attackers time to exploit further, while victims are not even aware that they should defend themselves. In the security profession, this is often referred to as the “importance of transparency” – in the event of an incident, open and fast communication is also part of the defense. Unfortunately, Oracle set a bad example in these, which not only damaged their reputation but also generated specific security threats for their customers. Finally, it is important to highlight that the case also highlights the risks of cloud-based services. If a large service provider makes a mistake, it can have a chain reaction-like effect on thousands of other organizations (which is why attacks like this are called supply chain attacks). In addition to the convenience and scalability of the cloud, every company must be aware that it is partially entrusting the security of its data to an external party. Trust is essential, but the service provider must continuously earn this – for example, by proactively ensuring protection and managing it transparently when there is a problem. The Oracle incident warns that you need to be prepared for the worst-case scenario from minute zero and work closely with your service provider to ensure appropriate emergency scenarios.

Legal consequences (GDPR, legal obligations, lawsuits)

A data breach of this magnitude could have significant legal and regulatory consequences. Oracle's European customers are subject to the EU General Data Protection Regulation (GDPR), which requires data controllers to report a data breach involving personal data to supervisory authorities and (in cases of high risk) to affected individuals within 72 hours hwsw.hu. If it is proven that Oracle failed to do so – and according to current information, the incident was only acknowledged weeks later, and not all affected individuals were informed in a timely manner – the company could face serious GDPR sanctions. The potential fine could be up to 2-4% of global annual revenue -theregister.com-, which could be billions of dollars for Oracle. In addition, European authorities may impose additional sanctions (e.g. data processing restrictions) if a breach of data protection regulations is found.

There is no uniform federal law requiring mandatory notification of data breaches in the United States, but several states, including California and Texas, have their own data breach notification laws. The state of Texas, for example, requires that data subjects be notified of a data breach within 60 days. A class action lawsuit has already been filed against Oracle in Texas over the incident. The plaintiffs allege that Oracle violated the Texas notification requirement by failing to notify users in a timely manner, causing them harm. The lawsuit also alleges that Oracle operated its systems with inadequate security measures, failed to properly train its employees about cyber threats, and delayed detecting the breach. All of these failures contributed to the incident occurring and to its more severe effects. It is expected that additional lawsuits and regulatory investigations will be launched in the coming months. Claims for damages may also arise from the companies and individuals involved. In Europe, class actions may even be launched against Oracle if it is proven that the company's negligence or intentional concealment increased the damages hwsw.hu. Legal proceedings may drag on for years, but it is already certain that Oracle will have to devote significant resources to defending itself on the legal front as well. Regulatory sanctions may even come from the authorities: for example, the EU data protection body may launch an investigation, and the US FTC (Federal Trade Commission) may also examine the case from a competition law or consumer protection perspective (e.g. due to misleading communications). In addition, if it is proven that health data was also affected (possibly in connection with the parallel incident at Oracle Health), the company may also be held liable under HIPAA regulations in the USA. Overall, Oracle not only has to repair the technological damage, but also has to face multiple levels of legal liability.

Business Impact and Reputation Loss

A scandal of this magnitude inevitably affects Oracle's business reputation. The company has been trying to catch up with its big competitors in the cloud services market (Amazon Web Services, Microsoft Azure, Google Cloud) for many years, and strengthening customer trust is key to its expansion. However, this trust may now be damaged. The company suffered reputational damage, both because of the incident itself – as many customers questioned whether Oracle was able to adequately protect their data – and because of the way it handled it. Oracle's communication has drawn criticism from both the professional community and the media, especially its denial of the obvious for days or weeks. Many see this as irresponsible or at least anti-customer behavior that is eroding its good reputation. One security expert sarcastically called Oracle’s practice “exemplary incident management communication,” which consisted of denial, diversion, and repeated denial—a strategy that is clearly unsustainable in the long run.

Business losses were already apparent in the short term. As soon as the news spread, investors expressed concern: Oracle’s stock price began to fall. Within a few days of the incident becoming public, the company’s shares fell by about 3–4%, according to -ainvest.com-, indicating that the market was sensitive to security issues. If more details emerge or new incidents (such as the Oracle Health health data breach) occur, this could cause further volatility and uncertainty among investors. The lawsuit in Texas and potential regulatory fines could also be financially burdensome – in addition to the billions in fines and damages mentioned in the legal consequences section, Oracle will likely have to make additional investments in security. All of this adds up to a significant business cost and burden.

There are also impacts on the customer side. In certain sectors (e.g. government, finance), customers are particularly sensitive to such incidents – some Oracle customers may even rethink their cloud strategy or migrate to another provider due to loss of trust. While mass customer churn is unlikely for a large provider, it could lead to loss of new business if the company’s reputation is tarnished. Oracle will need to make efforts in the future to regain its customers’ trust – for example, by providing enhanced security guarantees, auditable compliance, and perhaps by offering discounts or insurance policies to compensate partners who are concerned about what happened. However, building this kind of trust takes time, and the memory of this incident will have a long-term impact on the company’s reputation. It should be noted that the timing of this incident is also particularly inconvenient for Oracle. In the past, the company has tried to highlight the security and reliability of Oracle Cloud in its marketing, emphasizing that it can handle even sensitive government data securely. Now, however, a data leak involving government customers is taking place. Moreover, this is not the only security fiasco recently: in early 2025, another incident occurred at Oracle’s subsidiary, Oracle Health (formerly acquired by Cerner, a healthcare IT company), where hackers also accessed sensitive data (personal information of hospital patients) -bleepingcomputer.com-. Two consecutive privacy scandals may reinforce the narrative that Oracle has broader problems with its security culture. Overall, this can have an impact on all areas of business: it may be more difficult to acquire new customers in the cloud, and existing large customers may require more stringent audits in their contracts.

Lessons learned

The Oracle Cloud incident is a prime example of how a single cloud provider’s mistake can have far-reaching effects. The data security of hundreds of companies and institutions was compromised at the same time due to a single vendor’s weakness. The incident underscores the critical importance of cloud security and the need to protect customer data. Every company – whether a provider or a cloud customer – must continuously improve its security systems and protocols to maintain customer trust and avoid similar incidents in the future. In addition, transparent communication and accountability are key: rapid response, open communication, and support for those affected can help mitigate damage and rebuild trust after an incident. For Oracle, this incident is also an opportunity to learn from mistakes and develop a more security-conscious corporate culture in the future. And the market and customers will certainly be watching how the company fixes system errors and prevents similar data losses - because ultimately this will determine how competitive and reliable Oracle Cloud can remain in the world of cloud services.

Sources

Official announcements, reports from security analysis companies and press releases (The Register, BleepingComputer, SecurityWeek, HWSW, etc.), see references in the text.