Oracle has officially confirmed a significant data breach affecting its legacy Oracle Cloud Classic infrastructure, exposing sensitive corporate client credentials. The incident, discovered in early 2025, impacts authentication data stored in systems last actively used in 2017, marking one of the most substantial security incidents in the company’s recent history.
Breach Discovery and Initial Response
The security incident came to light when a threat actor using the handle “rose87168” published sensitive information on BreachForums in March 2025. The attacker offered to sell or exchange the stolen data for 0-day exploits, providing proof of compromise through sample data and a comprehensive list of over 140,000 affected domains. Initially, Oracle maintained a defensive stance, though technical evidence later forced the company to acknowledge the breach.
Technical Analysis of the Security Incident
According to CybelAngel’s investigation, the attackers exploited a 2020 Java vulnerability to breach Oracle Gen 1 servers in January 2025. The compromise enabled the deployment of a web shell, facilitating unauthorized access to the Oracle Identity Manager database. The extracted data includes email addresses, hashed passwords, and username credentials, potentially exposing organizations to secondary attacks through credential stuffing and social engineering attempts.
Concurrent Oracle Health System Compromise
In a parallel security incident, Oracle Health (formerly Cerner) experienced a separate breach affecting numerous U.S. healthcare organizations. Threat actors leveraged compromised credentials to access Cerner data migration servers, resulting in the exposure of sensitive patient information. This dual compromise highlights significant vulnerabilities in Oracle’s legacy infrastructure management practices.
Incident Response and Security Implications
CrowdStrike analysts, working alongside FBI investigators, are currently conducting a thorough investigation of both incidents. Oracle has initiated private notifications to affected clients, emphasizing that the compromise was limited to legacy infrastructure. Security expert Kevin Beaumont notes that while Oracle’s initial denial of an Oracle Cloud breach was technically accurate, it represents a semantic distinction given the attack targeted the rebranded Classic platform.
This incident serves as a critical reminder of the importance of proper legacy system management and timely security updates in cloud infrastructure. Organizations are strongly advised to conduct comprehensive audits of their cloud service implementations, particularly focusing on deprecated or legacy systems that may harbor unpatched vulnerabilities. The breach underscores the need for robust security measures in cloud environments and highlights the potential risks of maintaining outdated infrastructure components without adequate security controls.
