Oracle Confirms Cloud Breach After Initial Denial — Hacker Claims, Leaked Data, and Silent Alerts Raise Eyebrows
In a turn of events that raises serious questions about transparency and cloud security, Oracle has reportedly suffered a significant data breach involving its cloud infrastructure — despite earlier claims denying any such incident. The tech giant has since begun quietly alerting affected customers, yet continues to downplay the scope and severity of the attack.
The breach first came to light when a hacker using the alias rose87168 began leaking what they claimed was sensitive data from Oracle Cloud, affecting over 140,000 tenants. This data allegedly includes encrypted credentials, usernames, and other critical customer information. The attacker initially demanded a $20 million ransom from Oracle, but after receiving no payment, began offering the stolen data for sale or trade in exchange for zero-day exploits.
Despite these allegations, Oracle’s initial response was categorical: “There has been no breach of Oracle Cloud. The published credentials are not for the Oracle Cloud. No Oracle Cloud customers experienced a breach or lost any data.” That statement, however, is now being challenged by mounting evidence and independent confirmations from security experts and customers alike.
Table of Contents
Hacker Evidence Contradicts Oracle’s Denials
According to SecurityWeek, the hacker has provided multiple pieces of evidence, including a sample of 10,000 customer records, a video that appears to show an internal Oracle meeting, and a file demonstrating access to Oracle’s cloud systems. Some leaked credentials are reportedly from 2024, contradicting Oracle’s claim — as reported by Bloomberg — that the affected environment hasn’t been used in over eight years.
Security researcher Kevin Beaumont suspects Oracle is using vague terminology like “Gen 1” to obscure the truth. He pointed out that Oracle Classic, which likely falls under that label, is still part of the company’s cloud infrastructure. This semantic spin, he says, allows Oracle to technically deny a breach of “Oracle Cloud,” even if the data originated from legacy cloud systems.
Beaumont also revealed that Oracle has not sent written notifications to customers; instead, the alerts have reportedly been verbal only — further raising concerns about the company’s transparency.
Malware, Java Exploit, and Long-Term Access
CyberAngel cited an anonymous source who claims the breach stems from a 2020 Java vulnerability that allowed attackers to install malware and a web shell on Oracle systems. The malware reportedly targeted Oracle’s Identity Management database, and access may have begun as early as January 2025. Oracle allegedly became aware of the issue in late February, around the time the ransom demand was made.
According to this source, only “Gen 1” cloud infrastructure was impacted — specifically, servers in the older Oracle Classic environment — while more modern “Gen 2” servers were untouched. Still, the compromised data, while reportedly at least 16 months old, appears to be linked to real production environments and real customer accounts.
Oracle Health Breach Adds to the Fallout
As Oracle continues to issue only limited public statements, reports of a separate breach involving Oracle Health systems have also emerged. The simultaneous exposure of customer and patient data from different Oracle systems has drawn serious concern from cybersecurity professionals and regulators alike.
Oracle’s handling of the cloud breach — from its initial denials to limited customer outreach — has invited criticism from across the security industry. As investigators from the FBI and CrowdStrike look into the matter, many are calling for greater transparency from Oracle to help affected organizations assess risk and take necessary steps to protect themselves.