Legacy Vulnerabilities & the Consequences of the Oracle Breach

Key Takeaways

• Oracle Cloud Breach: A major security incident affecting Oracle Cloud, with 6 million customer records from over 140,000 organizations exposed. Threat actors exploited outdated, unpatched legacy servers, gaining access as early as January 2025. Oracle was allegedly aware by February but delayed notifications.
• Oracle Health Breach: Another significant breach impacting Oracle Health, compromising sensitive patient data. Access to legacy systems occurred from January 2025, with Oracle's awareness by February, but notifications were delayed, revealing vulnerabilities in unpatched servers.
• Exploitation of Legacy Systems: Both breaches leveraged outdated, unpatched legacy servers with known vulnerabilities, highlighting a critical security gap that allowed threat actors to infiltrate the systems starting in January 2025.
• Oracle's Transparency Issues: Oracle has faced criticism for its lack of transparency, issuing misleading statements and relying on verbal-only communications with affected customers, leading to distrust and confusion among stakeholders.
• Government Involvement: The FBI and FINRA have stepped in to investigate, with a potential SEC investigation looming due to Oracle's failure to notify shareholders, reflecting growing regulatory scrutiny.

Deep Dive

Over the past few weeks, IT giant Oracle has found itself mired in one of the most significant cybercrime incidents in recent years—and certainly one of the most convoluted. While cybercrime typically involves some uncertainty, this saga has reached new levels of complexity—strange and confusing at best, overtly egregious and shrouded at worst—with Oracle largely responsible for the lack of transparency.

The Oracle Cloud Breach

On March 21, CloudSEK, an AI cybersecurity solutions company, reported discovering a threat actor on BreachForums (a dark web forum for cybercriminals) under the username "rose87168," who claimed to have hacked Oracle servers. The post, made around March 20, claimed access to Oracle servers and 6 million customer records from more than 140,000 Oracle customers. The attacker demanded payment from affected companies for data removal while also offering to sell or trade the data to other cybercriminals.

CloudSEK determined the attacker had been active within Oracle's servers since January, claiming to have accessed Oracle Cloud through an undisclosed vulnerability. Despite the threat actor having little prior history, their methods indicated a high level of sophistication. CloudSEK initially assessed the threat as high severity with medium confidence.

The 6 million lines of data were extracted via Oracle's Single Sign-On (SSO) and Lightweight Directory Access Protocol (LDAP) in its cloud services. The data includes:

‍

Additionally, the threat actor offered to trade data for help with decrypting the hashed passwords.

Later on March 21, BleepingComputer published Oracle's response, denying the breach, "There has been no breach of Oracle Cloud. The published credentials are not for the Oracle Cloud. No Oracle Cloud customers experienced a breach or lost any data."

BleepingComputer also contacted rose87168, who shared a URL showing a .txt file with the attacker's email address uploaded to the login.us2.oraclecloud.com server, demonstrating their ability to not only access but manipulate the server.

The attacker told BleepingComputer they accessed this server approximately forty days prior (around early February) and had contacted Oracle directly after exfiltrating data from the US2 and EM2 cloud regions. According to rose87168, they asked Oracle for over $20M in cryptocurrency in exchange for information about the breach method, which Oracle refused, wanting all the necessary information for resolving the breach.

CloudSEK also received the URL and discovered the specific subdomain was captured on February 17, suggesting it hosted the Oracle Fusion Middleware 11G server, which according to FOFA (a search engine mapping cyberspace) was last updated in 2014.

The Oracle Fusion Middleware server, reportedly taken down since the hack, had a critical vulnerability (CVE-2021-35587) that was added to the Cybersecurity and Infrastructure Security Agency (CISA) Known Exploited Vulnerabilities (KEV) list in 2022. CloudSEK assessed that this vulnerability was exploited due to inadequate patch management and/or insecure coding.

If the threat actor's claims are true, Oracle was aware of the threat more than a month before the BreachForums post attempting to sell/distribute the data and exploit compromised Oracle Cloud tenants.

Data Verification and Threat Actor Activity

Several days after their initial report, CloudSEK released a second report confirming the Oracle Cloud server compromise and that sample data from the original post contained domains of actual Oracle Cloud customers. rose87168 sent a 10,000-line sample of the alleged 6 million lines of data, from which CloudSEK determined:

• The small sample included at least 1,500 distinct organizations, pointing to a widespread breach.
• Both the sample size and structure are difficult to fabricate, adding credibility to the claims.
• Many data lines include organizational tenant IDs, suggesting that while some domains may appear to be tested, the threat actor likely has access to production environments.
• The list features numerous personal email addresses, primarily due to SSO-based authentication.

This sample was also sent to BleepingComputer and Alon Gal, co-founder and CTO of Hudson Rock, an infostealer data intelligence company. Gal contacted Hudson Rock's affected customers, who confirmed both the data's authenticity and that production domains were included, some hosting sensitive data.

BleepingComputer also reached out to representatives from organizations in the sample, who anonymously confirmed the data's authenticity. rose87168 shared the alleged email exchange with Oracle, including one sent directly to Oracle's security email reporting the server breach. A separate email thread appeared to show an exchange between rose87168 and someone claiming to be an Oracle representative (using a ProtonMail address) who stated, "We received your emails. Let's use this email for all communications from now on. Let me know when you get this."

Throughout this developing saga, rose87168 has continued claiming responsibility and providing proof. Beyond communicating with investigators, they created an X account and began following multiple Oracle pages, boldly stating they would prove their claims despite Oracle's denial. This raises further concerns as the threat actor may take more drastic actions to gain Oracle's attention.

rose87168 also shared a multiple-hour video recording of a meeting between Oracle employees, showing their screen activity and capturing their conversations.

On April 1, cybersecurity company CybelAngel, which had been investigating the Oracle Cloud breach, reported that an anonymous source indicated Oracle had finally admitted to customers that its Gen 1 servers were breached. However, Oracle reportedly communicated this only verbally, leaving no documentation.

CybelAngel's source also confirmed that Oracle discovered rose87168's activity in their servers in January, consistent with CloudSEK's early assessment.

Expert Analysis

Several cybersecurity professionals have offered their assessments. Jake Williams from Hunter Strategy noted that the URL provided by the threat actor as evidence, once viewable via the InternetArchive Wayback Machine after the hacked server was taken down, has since been removed, seemingly at Oracle's request (though a second URL remains available).

Kevin Beaumont pointed out this same issue on his DoublePulsar blog, accusing Oracle of using strategically misleading wording in their breach denial. He pointed out that the compromised server belongs to old OracleCloud services (rebranded as Oracle Classic), which is where the breach occurred. Oracle's denial specifically stated that "Oracle Cloud" had not been breached, while evidence clearly points to a breach of an Oracle cloud-based service.

After analyzing the 10,000-line sample, Beaumont stated it has "become 100% clear to [him] that there has been a cybersecurity incident at Oracle, involving systems which processed customer data."

While investigating the breach, cybersecurity professionals have urged affected companies to take immediate action to secure their data and mitigate potential damages.

A Second Breach Emerges

A week after the Oracle Cloud breach was reported, news broke of another incident at Oracle Health (formerly Cerner, acquired by Oracle in 2022). Oracle Health is a healthcare software-as-a-service (SaaS) company providing electronic health records (EHR) and business operations systems.

On March 28, BleepingComputer reported that Oracle Health privately disclosed the attack to affected customers earlier in March: "We are writing to inform you that, on or around February 20, 2025, we became aware of a cybersecurity event involving unauthorized access to some amount of your Cerner data that was on an old legacy server not yet migrated to the Oracle Cloud," according to a notification letter received by customers.

According to GovInfoSecurity, rumors of a potential cybersecurity incident with Oracle Health's Cerner legacy products began circulating in early March.

Oracle stated in the letter that compromised customer credentials were used to hack the servers sometime after January 22, after which data was extracted. Though the notice stated the stolen data"may" contain patient information, BleepingComputer confirmed with other sources that patient information had indeed been compromised.

While Oracle promised to help identify affected individuals, supply notification templates, and pay for credit monitoring and mail notification services, they told customers that Oracle is not responsible for determining if the breach results in HIPAA violations or if patient notification is required. Oracle also stated they would not notify patients directly. Additionally, Oracle provided no details about the attack method or explanation of how it occurred.

According to BleepingComputer, affected healthcare organizations have already been contacted by a threat actor named"Andrew" who claims to be acting independently and is demanding millions in cryptocurrency for the removal of stolen data. Like rose87168, this attacker has virtually no prior cybercriminal history.

Communication Failures

Beyond information security concerns, affected organizations have expressed frustration with Oracle's lack of transparency. BleepingComputer reported that Oracle's notifications were printed on plain paper rather than formal letterhead and signed by Seema Verma, Executive Vice President & GM of Oracle Health. Oracle provided no formal reports, instead instructing customers to contact Oracle's CISO by phone only (not email) for additional information. This lack of documentation has made it difficult for healthcare organizations to navigate the data breach, particularly when notifying patients and addressing potential HIPAA violations.

Customers have also expressed frustration over Oracle's failure to publicly acknowledge the incident.

The breach's size and scope remain unknown. Bloomberg reported that while Oracle Health has a large contract with the US Department of Veterans Affairs, the Department was not affected. Bloomberg also reported that the FBI is investigating the Oracle Health breach.

Unfortunately, Oracle's lack of transparency apparently extends to its own employees. TechCrunch spoke with an anonymous Oracle employee who reported that internal communication about the Oracle Health breach has been inadequate or nonexistent. The employee stated that they and their colleagues had to resort to Reddit and Slack for information. This employee described feeling"ignored" by Oracle and characterized the company's approach as"Nothing to see here, move right along."

Reaction and Consequences

As this saga continues to unfold, Oracle has faced intense criticism and questions while remaining publicly silent, apart from their repeated denial to BleepingComputer and others, "There has been no breach of Oracle Cloud. The published credentials are not for the Oracle Cloud. No Oracle Cloud customers experienced a breach or lost any data."

Amid mounting negative publicity, a class action lawsuit was filed against Oracle in Texas on March 31. While this particular suit has since been voluntarily dismissed, other firms across the US are investigating both attacks to potentially pursue similar cases.

Bloomberg reported on April 2 that the FBI is now investigating the Oracle Cloud breach as well, alongside cybersecurity company CrowdStrike, which Oracle has hired for mediation.

Bloomberg also received information from several anonymous Oracle employees who reportedly told affected customers, at the company's direction, that the breached servers were a "legacy environment" inactive for eight years and therefore posed little actual threat. However, another source familiar with the situation stated that some compromised data included login credentials as recent as 2024. This "legacy" server is Oracle Cloud Classic, as Beaumont pointed out in his blog post.

GovInfoSecurity reports that Oracle, a public company, has still not notified its shareholders of either breach, as required by the SEC within four business days of determining a breach to be "material" (defined as "a substantial likelihood that a reasonable investor would attach importance"). Both breaches appear to meet this definition.

The Financial Industry Regulatory Authority (FINRA) issued a cybersecurity alert on April 1, notifying Oracle customers, particularly those using Oracle Cloud and Oracle Health services, of the breach, advising them to review relevant information and determine any impact on their organizations.

Widespread Concerns

The cybersecurity community has expressed widespread concern about both attacks' potential impact. The number of affected organizations is massive, over 140,000 in the Oracle Cloud breach alone—while the Oracle Health breach's scope remains unknown.

Beyond organizational impacts, millions of individuals' personal information has been compromised. In the Cloud breach, this includes not only login information but also personal email addresses, phone numbers, and home contact details. Some data indicates higher-tier access, suggesting that the threat actor and any other cybercriminals who acquire the stolen data would likely have access to sensitive, potentially highly sensitive, information.

In the Health breach, compromised data includes legally confidential patient information.

The nature of this information is causing particular concern among cybersecurity professionals. The theft of personal information at this scale represents a massive threat, especially when combined with compromised patient data.

In the Oracle Cloud breach, rose87168 offered to trade data lines for help decrypting hashed passwords. Threat actors possessing higher-tier access credentials pose significant risks to organizations, potentially resulting in:

‍‍

Breakdown of Oracle's Response

What has heightened concerns and potential threats has been Oracle's handling of both incidents. Cybersecurity professionals investigating the attacks have identified several questionable aspects of Oracle's cybersecurity practices:

• Both attacks involved compromised legacy servers that hadn't been patched in years.
• In the Oracle Cloud breach, a known vulnerability listed by CISA since 2022 was exploited, with evidence suggesting Oracle was aware of its exploitability in the compromised server.
• Despite discovering the breaches in February, Oracle delayed customer notifications. Oracle Health customers were informed in early to mid-March, while Oracle Cloud customers weren't notified until around April 1, more than a week after the breach was reported in the headlines and after Oracle's initial denial.
• According to customer and employee reports, Oracle has been far from transparent about either breach, offering no formal reports and limiting communication primarily to phone calls, seemingly avoiding documentation.
• Evidence suggests Oracle had proof of the Cloud breach removed from the Internet Archive.

Despite all evidence and criticism from cybersecurity professionals, Oracle has remained publicly silent. They have largely declined to comment on either incident or answer questions, offering only their default denial response when pressed.

At a minimum, this represents a significant public relations failure for one of the world's largest IT companies, but the evidence appears to indicate much deeper problems with Oracle's cybersecurity management.

Oracle's delay in notifying customers about potentially compromised data left affected organizations vulnerable while threat actors had access to sensitive information without their knowledge. This is compounded by Oracle's lack of transparency regarding crucial details, making it more difficult for affected organizations to address the threats effectively.

Oracle could face multiple class action lawsuits for its handling of both breaches, particularly the Oracle Health attack. While class action lawsuits are common for corporations of Oracle's size, they will certainly damage the company's reputation further.

What should concern Oracle most is the attention these attacks are drawing from government agencies. It's becoming clear that the US views these attacks as a national cybersecurity threat.

FINRA has already issued an official cybersecurity alert, and the FBI is reportedly investigating both incidents. Alon Gal has called for involvement from the CISA, the Securities and Exchange Commission (SEC), and the Federal Trade Commission (FTC). Additional regulatory agency intervention is expected as this situation continues to unfold. Given that Oracle has reportedly not notified shareholders of either breach, SEC involvement seems likely.

Summary

The dual Oracle breaches represent one of the most significant cybersecurity incidents of 2025, not just for their massive scale, affecting millions of records across thousands of organizations, but for the troubling questions they raise about corporate responsibility in the digital age. Oracle's apparent strategy of minimization, delay, and verbal-only communications has compounded an already serious situation, potentially leaving victims more vulnerable and hampering remediation efforts.

As regulatory agencies intensify their involvement and affected organizations scramble to secure their systems, the long-term impact remains unclear. What is certain is that this crisis has exposed critical vulnerabilities not just in Oracle's technical infrastructure but in its incident response protocols and corporate transparency practices.

The incident serves as a stark reminder that even tech giants are not immune to the consequences of neglecting basic security principles, especially when coupled with inadequate crisis management.

The GRC Report is your premier destination for the latest in governance, risk, and compliance news. As your reliable source for comprehensive coverage, we ensure you stay informed and ready to navigate the dynamic landscape of GRC. Beyond being a news source, the GRC Report represents a thriving community of professionals who, like you, are dedicated to GRC excellence. Explore our insightful articles and breaking news, and actively participate in the conversation to enhance your GRC journey.