Oracle Acknowledges Data Breach and Starts Informing Affected Clients

Oracle Corporation has confirmed a data breach involving its older Gen 1 servers, marking the second cybersecurity incident disclosed by the company in recent weeks.

The breach, initially reported by a threat actor on Breachforums on March 20, 2025, has raised concerns about the security of Oracle’s cloud infrastructure and its ability to safeguard sensitive client data.

The threat actor, identified as “rose87168,” claimed responsibility for the breach and alleged access to 6 million data records. The stolen data reportedly includes usernames, email addresses, hashed passwords, and sensitive authentication credentials such as Single Sign-On (SSO) and Lightweight Directory Access Protocol (LDAP) information.

The attacker also exfiltrated Java Key Store (JKS) files and Enterprise Manager JPS keys. While no complete Personally Identifiable Information (PII) was exposed, Oracle confirmed that the compromised data is approximately 16 months old.

The breach was facilitated through a 2020 Java exploit that allowed the attacker to deploy a web shell and malware targeting Oracle’s Identity Manager (IDM) database.

The attacker reportedly gained access as early as January 2025 and remained undetected until late February, when Oracle launched an internal investigation.

Oracle has notified affected clients and reinforced security measures around its Gen 1 servers. The company emphasized that its Gen 2 servers remain unaffected and denied any breach of its primary Oracle Cloud infrastructure.

Despite these assurances, cybersecurity firm CybelAngel reported that Oracle privately acknowledged the incident to stakeholders and confirmed unauthorized access to legacy systems.

Threat Actor Profile: “rose87168”

The hacker “rose87168” appears to be a relatively new player in the cybercrime landscape, with their account created only in March 2025. Their primary motive seems financial, as they demanded a $20 million ransom from Oracle.

However, they also expressed a willingness to exchange stolen data for zero-day exploits, indicating broader criminal ambitions.

The attacker strengthened their claims by releasing proof of stolen data, including sample databases and LDAP credentials. Security researchers have validated portions of this data, further substantiating the breach.

“In data released to a journalist for validation, it has now become 100% clear to me that there has been cybersecurity incident at Oracle, involving systems which processed customer data,” Kevin Beaumont said.

This breach follows another recent cybersecurity incident involving Oracle Health’s legacy Cerner servers, where patient data from U.S. healthcare organizations was compromised. While Oracle maintains that these breaches are unrelated, the timing has drawn scrutiny over the company’s overall security posture.

The Gen 1 server breach highlights vulnerabilities in legacy systems that have not been fully migrated to modern cloud infrastructure. Experts warn that if exploited further, such incidents could have cascading effects on enterprise security and supply chains.

Oracle’s response underscores the challenges faced by large enterprises in securing legacy systems while transitioning to newer platforms. As investigations continue, affected clients are advised to reset credentials, monitor for suspicious activity, and implement enhanced security measures.

While Oracle has taken steps to mitigate damage and reassure stakeholders, this incident serves as a stark reminder of the evolving threats in today’s cybersecurity landscape.