CISA officials have issued a warning about a data breach affecting Oracle, cautioning about the potential risks to organizations and individuals. The breach was first discovered in January, when hackers stole information and accessed client credentials stored on legacy Oracle systems.
Oracle’s Silence on the Issue
For weeks, Oracle privately informed its customers about the incident, but it avoided making a public announcement. In a letter to customers, Oracle confirmed that Oracle Cloud Infrastructure (OCI) was not breached. However, the company admitted that hackers accessed and published usernames from two outdated servers that were never part of OCI. The FBI and CrowdStrike are currently investigating the incident, according to the letter Oracle sent to customers.
The breach only came to public attention when the hacker, known as “rose87168”, took to social media to brag about the theft. The hacker even offered the stolen documents for sale on cybercriminal forums.
Extent of the Breach
Cybersecurity firms, including CloudSEK and CybelAngel, confirmed that the hacker was selling 6 million stolen records. The compromised data came from Oracle Cloud’s Single Sign-On (SSO) and Lightweight Directory Access Protocol (LDAP) systems. More than 140,000 Oracle customers across various industries and regions were impacted by the breach.
Experts discovered that the stolen data included encrypted passwords, key files, and other sensitive information. The hacker, according to CloudSEK, even tried to get help from other hackers to decrypt the stolen credentials. The hacker also threatened Oracle customers, offering to delete their stolen data for a fee.
CISA Issues a Warning
On Wednesday, the Cybersecurity and Infrastructure Security Agency (CISA) issued a statement saying that, while the full scope of the breach is still unknown, the incident poses significant risks to organizations. CISA highlighted the potential danger of exposed credentials that may be used across different, unaffiliated systems or embedded in various places. CISA explained,
“When credential material is embedded, it is difficult to discover and can enable long-term unauthorized access if exposed.”
The agency also warned that the compromise of credentials, usernames, emails, passwords, authentication tokens, and encryption keys can lead to serious risks, including:
- Escalating privileges within networks
- Access to cloud and identity management systems
- Phishing and business email compromise campaigns
- Reselling access to stolen credentials
- Enriching previously stolen data for further intrusions
What Should Organizations Do?
CISA urged organizations to take immediate action to mitigate the risks from the breach:
- Reset all passwords for affected services
- Review source code for vulnerabilities
- Monitor authentication logs for any unusual activity
- Report any incidents to authorities
Oracle has yet to respond to requests for comment regarding the warning issued by CISA. However, three Oracle Cloud customers have confirmed that their data was included in the leaked set, confirming the severity of the breach.
Also Read: ChatGPT Referring to Users by Name Triggers Privacy Concerns