Oracle has privately informed some customers that hackers breached a legacy system unused since 2017. The attackers stole old client credentials. Oracle claimed the data was outdated and not sensitive. However, the hacker shared newer files from late 2024 and 2025 with BleepingComputer and posted them on a hacking forum. Oracle stated that the FBI and cybersecurity firm CrowdStrike are now investigating the Cloud Security incident.
The breach targeted Oracle’s older cloud system, known as Gen 1 or Oracle Cloud Classic. Cybersecurity firm CybelAngel said Oracle notified customers in January 2025. A hacker had accessed the old servers using a Java vulnerability from 2020. The attacker installed a web shell and other malware, raising concerns about legacy system security.
Oracle discovered the breach in late February. During this time, the hacker stole data from Oracle Identity Manager (IDM). This data included user emails, usernames, and hashed passwords.
On March 20, a hacker named “rose87168” listed 6 million records for sale on BreachForums. They shared samples with LDAP info, usernames, and company names to prove authenticity. The hacker claimed the data came from Oracle Cloud’s federated login system.
When asked by BleepingComputer, Oracle denied a breach of Oracle Cloud. The company said the leaked credentials were not from its current cloud platform. Oracle also stated that no Oracle Cloud customers lost any data.
Still, archived links showed files with the hacker’s email were uploaded to Oracle’s server. Though Archive.org removed the files, backup copies are still available online.
BleepingComputer later confirmed the leaked samples with several affected companies. The data included names, email addresses, LDAP display names, and other identifiers.
Despite this, Oracle continues to deny a breach of its current cloud services. It says the issue only impacted Oracle Cloud Classic.
Cybersecurity expert Kevin Beaumont explained the name difference. He said Oracle is using this distinction to avoid admitting a breach of “Oracle Cloud.” Experts warn that legacy systems, if left unmaintained, pose serious Cloud Security risks.
Meanwhile, Oracle has not responded to further questions from BleepingComputer regarding the breach.
Oracle Health Also Hit by Cloud Security Breach
In a separate incident, Oracle also told clients about a breach at Oracle Health (formerly known as Cerner), affecting several U.S. hospitals and healthcare providers.
Although Oracle hasn’t publicly announced this incident, BleepingComputer confirmed the theft of patient data, supported by private communications between Oracle Health and the impacted clients.
Oracle Health discovered the breach on February 20, 2025, and identified that it involved older Cerner data migration servers. Hackers reportedly used stolen customer credentials to access the servers after January 22, 2025.
Sources say that a hacker calling himself “Andrew” is now extorting affected hospitals, demanding millions in cryptocurrency to prevent the release of stolen patient data. He has even created websites to pressure these organizations into paying.
Bleeping Computer has reached out to Oracle Health several times since March 4, but has not received a response.
