Oracle is finally notifying customers of a recent breach, one it repeatedly denied, but is continuing to downplay its severity.
News broke in March 2025 that Oracle had been breached, with a hacker claiming to have data from some six million Oracle customers. The data purportedly included authentication information and encrypted passwords from Oracle Cloud federated SSO login servers. The company repeatedly denied the claims, but customers confirmed to BleepingComputer that the sample data the hacker provided was correct.
Weeks after the incident, Oracle finally admitted the breach, but said Oracle Cloud itself had not been breached.
“There has been no breach of Oracle Cloud. The published credentials are not for the Oracle Cloud. No Oracle Cloud customers experienced a breach or lost any data,” the company said at the time.
BleepingComputer is now reporting that Oracle is sending out breach notifications to its customers, but is still downplaying the incident, maintaining that Oracle Cloud was not breached, and that the hacker only gained access to “two obsolete servers.”
Unfortunately, there is mounting evidence that Oracle is not being forthcoming with customers, instead relying on wordplay and sleight of hand to hide the full extent of the breach.
Cybersecurity expert Kevin Beaumont pointed out exactly what Oracle is doing.
All the systems impacted are directly managed by Oracle. Some of the data provided to journalists is current, too. This is a serious cybersecurity incident which impacts customers, in a platform managed by Oracle.
Oracle are attempting to wordsmith statements around Oracle Cloud and use very specific words to avoid responsibility. This is not okay. Oracle need to clearly, openly and publicly communicate what happened, how it impacts customers, and what they’re doing about it. This is a matter of trust and responsibility. Step up, Oracle — or customers should start stepping off.
Update 1 — Oracle rebadged old Oracle Cloud services to be Oracle Classic. Oracle Classic has the security incident.
Oracle are denying it on “Oracle Cloud” by using this scope — but it’s still Oracle cloud services that Oracle manage. That’s part of the wordplay.
Update 3 — Multiple Oracle cloud customers have reached out to me to say Oracle have now confirmed a breach of their services.
They are only doing so verbally, they will not write anything down, so they’re setting up meetings with large customers who query.
Oracle Is Digging Its Own Grave
Oracle—and especially founder Larry Ellison—has tried to position the company’s cloud offerings as a more reliable and secure alternative to what is offered by its larger rivals, such as AWS, Microsoft, and Google Cloud. The company is also heavily involved in the Trump administration’s Stargate AI program.
Ellison has also made no secret of his desire to build a 1984-style surveillance system that will use AI to monitor everyone, everywhere, all the time. Putting aside the fact that such a system should never exist, if it did exist, maintaining the security of the system be a paramount concern.
In that context, these breaches are coming at the worst possible time for Oracle, calling into question the company’s ability to protect the data it is entrusted with, both now and in the future.
The only thing worse is the company’s response. Rather than own up to the breach and detail what measures are being taken to prevent it from happening again, Oracle is instead relying on wordplay and the apparent belief that its customers are idiots who are incapable of seeing past the company’s clumsy attempts to cover its tracks.
Such a course is sure to backfire on the company.
Oracle’s Letter In Full, Courtesy of BleepingComputer
April 7, 2025
Dear Oracle Customer:
Oracle would like to state unequivocally that the Oracle Cloud—also known as Oracle Cloud Infrastructure or OCI—has NOT experienced a security breach. No OCI customer environment has been penetrated. No OCI customer data has been viewed or stolen. No OCI service has been interrupted or compromised in any way.
A hacker did access and publish user names from two obsolete servers that were never a part of OCI. The hacker did not expose usable passwords because the passwords on those two servers were either encrypted and/or hashed. Therefore the hacker was not able to access any customer environments or customer data.
If you have questions about this notice, please contact Oracle Support or your Oracle Account Manager.
