Kevin Beaumont
Somebody is claiming to have exfiltrated 6 million lines of data with Oracle Cloud’s SSO and LDAP data that includes JKS files, encrypted SSO passwords, key files and enterprise manager JPS keys from servers on login.*.oraclecloud.com
The poster has no prior reputation, it is unclear if they're LARPing. Some of the sample data does align with prior infostealer logs, I'm told. https://breachforums.st/Thread-SELLING-Oracle-cloud-traditional-hacked-login-X-oraclecloud-com
Kevin Beaumont
If anybody is interested, the servers they claim they targeted all run Oracle WebLogic and are managed by Oracle as a SaaS service.
Kevin Beaumont
Has anybody else got Oracle to comment on this? No reply to my queries.
Kevin Beaumont
Oracle are denying a breach to @BleepingComputer, but the threat actor has provided an archived URL which suggests they somehow uploaded a file to the Oracle Access Manager (SaaS solution) frontend.
https://web.archive.org/web/20250301161517/http:/login.us2.oraclecloud.com/oamfed/x.txt?x
Silva
@GossiTheDog
As far as I know, no official comment from Oracle, but big customers are already being contacted and credentials/mfa are being reset as we speak.
Kevin Beaumont
The Oracle thing keeps getting more strange. The threat actor has supplied an hour long YouTube video, which appears to be taken from an endpoint inside Oracle... in 2019. They've also supplied a dump of data from 2025, to Hudson Rock. https://www.youtube.com/watch?v=375_G9wAffo
Kevin Beaumont
If anybody from Oracle follows me, I definitely think the OCI team needs to spin up security incident response on that YouTube video to try to find out what was happening. It looks like it may be a Citrix session recording of a staff member's access in OCI.
Kevin Beaumont
Hudson Rock are reporting the Oracle Cloud breach claim threat actor has provided 10k records, and they appear genuine according to one of their customers.
It’s unclear to me exactly what is happening with this one as the threat actor doesn’t appear to understand basic English grammar.. but there are signs something has happened at Oracle.
Big problem for Oracle as I’m not sure how plausible denials will be when threat actor, who sounds 12, is dumping data online.
Kevin Beaumont
CloudSEK are doubling down on their Oracle Cloud breach reporting, despite a denial from Oracle: https://cloudsek.com/blog/part-2-validating-the-breach-oracle-cloud-denied-cloudseks-follow-up-analysis
I am still looking into this and will probably do a blog post this week. The threat actor is still dropping files everywhere and they do tend to point to a security incident at Oracle Cloud.
0ddj0bb Is At Cyphercon
@definity @GossiTheDog @BleepingComputer ive been wondering that too. Or even the word breach. They arent even saying theres an incident to talk about.
Definitions are useful and important, but a vendor does the public great disservice by hanging them by the neck with word play
Chad Brigance
@GossiTheDog @BleepingComputer
One thing you point out here has me thinking...
Does Oracle Cloud = Oracle Access Manager?
Looking at Oracle's own page on that, one could see it as a middleware component
https://www.oracle.com/middleware/technologies/access-management.html
Feels like Oracle is being very specific in their denial, but should we be asking a more specific question?
Kevin Beaumont
Bleeping Computer say multiple Oracle customers confirm their customer data has been stolen from Oracle Cloud. Oracle continue to deny there is a problem.
Kevin Beaumont
Also, that YouTube video I linked above has two hours of audio of Oracle employees talking. I haven’t transcribed it yet.
Separately, the threat actor has shared what they claim to be current config files from Oracle Cloud servers with a different reporter.
I’m deliberately staying out of this one for now as I’m trying to finish Assassin’s Creed Shadows first.. but I think Oracle may have a pending PR disaster when the TikTok deal is due to complete.
Keith Lawson
@GossiTheDog p.s. doesn't appear to have any sensitive customer information in this sample:
ChatGPT:
After reviewing it, there do not appear to be any sensitive details such as:
Email addresses
Usernames
Passwords
API keys
Personally identifiable information (PII)
The transcript is primarily a technical discussion about system upgrades, pre-checks, configuration files, CLI usage, and server operations. It references general hostnames and commands but does not disclose any security credentials or private user data.
barunick
@keith_lawson @GossiTheDog supposedly from 2019
Keith Lawson
@GossiTheDog I started the transcript. Here's what it's produced so far. I don't have a GPU in the system I'm running this on so not sure how long it's going to take to finish. I'll upload all file formats when it completes.
https://github.com/j-klawson/oracle_breach_2025/blob/main/output_start.txt
Kevin Beaumont
There’s now been a data breach at Oracle Health, which is separate to the ongoing security issue at Oracle Cloud.
Oracle have not commented publicly on the breach, instead telling people to only talk to their CISO by phone, not in writing. They’ve sent out letters without Oracle letterheads, using external lawyers instead.
The behaviour going on at Oracle with cybersecurity is extremely alarming.
Kevin Beaumont
Going back to the Oracle Cloud security incident, the 2019 video posted by the threat actor: https://youtu.be/375_G9wAffo
Now has an audio transcription https://github.com/j-klawson/oracle_breach_2025/blob/main/youtube_video_transcript.txt
ProtocolParameter
@GossiTheDog What would the suggested mitigations be for customer impacted? Verify and respond accordingly?
Kevin Beaumont
I can confirm there has definitely been a serious security incident at Oracle's managed cloud service, and they're attempting to wordsmith their way out of it. https://doublepulsar.com/oracle-attempt-to-hide-serious-cybersecurity-incident-from-customers-in-oracle-saas-service-9231c8daff4a
Dr. Christopher Kunz
@GossiTheDog Interesting. There's however an extra space in the Youtube link in this sentence: "The meeting is viewable here and the transcript is "
Dr. Christopher Kunz
@GossiTheDog Ah right, then there's an extra space in that link on medium. The video id reads "375_G9wAff+o" there. Thanks!
Kevin Beaumont
Oracle have attempted to hide the OAM access, by requesting archive.org exclude the URL.
Dr. Christopher Kunz
@GossiTheDog Something smells weird. Can I email you about that OCI thing?
Kevin Beaumont
The wordplay here is Oracle Cloud.
Oracle rebadged old Oracle Cloud services to be Oracle Classic. Oracle Classic has the security incident.
They’re denying it on “Oracle Cloud” by using this scope - but it’s their cloud service.
Kevin Beaumont
Apparently nobody from Oracle thought to exclude this URL as it still works https://web.archive.org/web/20250301161225/https://login.us2.oraclecloud.com/oamfed/x.txt?mail
colingilroymcguire
@GossiTheDog any notion as to whether their NetSuite softwarte is within scope for this?
devnoname120
@GossiTheDog It's also there lol
Kevin Beaumont
Multiple Oracle cloud customers have reached out to me to say Oracle have now confirmed a breach of their services.
They are only doing so verbally, they will not write anything down, so they’re setting up meetings with large customers who query.
Kevin Beaumont
Oracle Health customers dealing with the breach there of patient PII, if you’ve had a verbal briefing could you please Signal me? GossiTheDog.1337
I’m interested to see if they’ve told you it was in legacy Oracle Classic aka OCI Gen1 environments, like they have with Oracle Cloud customers - I’m trying to line up if the breaches are actually related.
It appears Oracle migrated people off OCI G1 a few years ago, but left the systems on and unpatched with customer data.
r00tjunkie
@GossiTheDog Nice try, you aren't tricking me into joining a chat with attack plans
ajantis
@GossiTheDog Unpopular opinion: Proof looks like web cache poisoning and not RCE. Looks like made to believe to be an actual txt file
Notice the "?" param where is used as part of cachebuster PoC for web cache poisoning
As if not, then all Archive entries should resolve to the same txt contents, however bunch 404 like the x.txt itself and there is "?a" which disproves the proof based from Archive timestamp
x.txt - 404
x.txt?mail - with email text
x.txt?a - 404
x.txt?x - with email text
ajantis
@GossiTheDog yeah is for another article about this I have read that seems to poise that RCE was established saying TA used an old CVE but am suspicious of it bec. of the txt file proof. That being said the existing "?a" parameter in Archive.org that was archived around 2 minutes after the "?mail" and before the "?x", so it is in between of the 2 proofs and based from its timestamp disproves that the actual x.txt itself doesn't exist and the parameters are more likely related to web caching.
Zahhaz
@GossiTheDog Interesting. rose has stated on the BF thread that the data belongs to OCI.
Kevin Beaumont
Heise has a look at the Oracle security incident. Oracle didn’t return request for comment when asked about Oracle Classic - I understand from multiple large outlets they’ve also declined to comment.
Dr. Christopher Kunz
@GossiTheDog Total radio silence so far, no statement - not even acknowledgement of my request for comment.
Dan Goodin
When I asked Oracle for comment, a PR person responded and offered a comment on the condition I not attribute it in any way to Oracle. When I said no, the PR person said Oracle was declining to comment.
Dan Goodin
I dunno. I think they were going to provide some sort of explanation or account of what happened (likely whitewashy or handwavy).
Dave 🐶
@GossiTheDog I'm actually genuinely intrigued to see whether this strategy will pay off.
In theory you only have to wait long enough for everyone to get bored and for some other significant thing to happen, then you're in the clear...
Kevin Beaumont
A class action lawsuit has been filed in the US around Oracle failing to publicly disclose a breach of Oracle Health. https://storage.courtlistener.com/recap/gov.uscourts.txwd.1172831612/gov.uscourts.txwd.1172831612.1.0.pdf
Kevin Beaumont
Meanwhile, on the Oracle cloud front, Oracle’s silence is deafening.
Andrew Elwell
@GossiTheDog have they filed an 8K yet? Don't remember seeing one on the bot feed.
Paco Hope #resist
@GossiTheDog
*Narrator*: He did not stay out of this. 😜
Kevin Beaumont
We have an update. Reuters and Bloomberg confirm my blog, that’s there’s a security incident going on at Oracle cloud. Oracle declined to comment, after lying to @BleepingComputer and other outlets on the record.
CrowdStrike is the IR company.
“Oracle staff acknowledged to some clients this week that an attacker had gotten into a legacy environment, Bloomberg News report said.”
Kevin Beaumont
“The company informed customers that the system has not been in use for eight years and that the stolen client credentials therefore pose little risk, the report added. The stolen data included Oracle customer log-in credentials from as recently as 2024, the report said.”
This would be Oracle Classic, aka Gen1. I’ve been told the systems were left online after migration.. unpatched.
Oracle are trying to play legacy angle - but what else was stolen? What else did the attacker do? Why cover up?
Kevin Beaumont
The Bloomberg article is paywall so here’s screenshots.
Kevin Beaumont
Yeah, by legacy system Oracle mean ‘a system we manage housing active customer data’. They’ve also been telling people it isn’t Oracle Cloud.. but it is, and they know it is, they’re just doing customer talking points to wordsmith around it.
Kevin Beaumont
Oracle were still trying to get SaaS solutions *they* manage off Oracle Classic aka Gen1 as of 2023. They made a mess of it.
Kevin Beaumont
To answer my own question up thread - from talking to people, the Oracle Health breach appears to be unrelated to the Oracle SaaS incident this thread describes.
In both cases they’re being extorted, and in both cases they’re working with the FBI and external incident response.
Kevin Beaumont
Also in both cases Oracle hasn’t filed an 8-K or told regulators or provided an IR report to customers or a written technical statement of what happened or put anything on their website or commented to press.
Scott Wilson
@GossiTheDog Bro you act like following the law in the U.S. is a thing or something bro
Kevin Beaumont
Bleeping Computer report that although Oracle are telling clients the login data is "old", they've received login details from the threat actor current to this year (2025). Oracle haven't returned requests for comment. https://www.bleepingcomputer.com/news/security/oracle-privately-confirms-cloud-breach-to-customers/
Dave 🐶
@GossiTheDog Yes, the "old" line doesn't match up with what we know as customers.
That said, we've not had that line directly from our Account Manager, so I'm waiting for an updated statement from them.
saua
@GossiTheDog I wonder if there's a way to do mail signature-style footers on toots. At this point "Oracle haven't returned requests for comment" could just be autos appended to each message on the topic.
Kevin Beaumont
The Oracle cloud threat actor has told the BBC they plan to release European region Oracle Cloud Classic data this weekend. #threatintel
RaulV
@GossiTheDog haha...ain't no one buying oracle's B.S.
dave
@GossiTheDog Oracle has a lawsuit regarding their own illegal theft and sale of data, but they're getting into the health business, where they will be entitled to your data.
Kevin Beaumont
The Register has a look at the Oracle situation. No new info, as Oracle won’t comment on anything and the info they’ve told customers is extremely light.
https://www.theregister.com/2025/04/08/oracle_cloud_compromised/
Kevin Beaumont
Oracle have finally issued to a written notification to customers about their cybersecurity incident.
They are again wordsmithing. OCI is a different org unit in Oracle to Oracle Classic - they’re denying a different scope.
How long was the attacker in the SaaS solution (that Oracle manage)? What did they do with the access? How long were they in for? Why were ‘legacy’ systems containing customer info left unmanaged and insecure? Etc.
Really poor response from a SaaS provider.
CyberSECIntelligence2
@GossiTheDog do you have the link, I can't find it! or it is just an email for customers?
Kevin Beaumont
If anybody is struggling to find the Oracle security incident notification email, search your email server for subject “Oracle customer notification” - if anybody in your org got the email, your Oracle SaaS service is impacted (not that you’d know it from the email). It’s widespread.
Kevin Beaumont
Watch Oracle PR their way out of their responsibilities.. they’ve managed to publish a security incident notification and have the press run it as a denial. https://insight.scmagazineuk.com/oracle-further-dismisses-breach-rumours-in-customer-communication
Johannes
@GossiTheDog relevant meme from the office meme wall
Kevin Beaumont
A Senator has written to President Trump raising concern about Oracle’s involvement in purchasing TikTok. https://www.warner.senate.gov/public/_cache/files/c/3/c351121c-0d93-408c-a644-cd9dfc403857/71F66735F28545047D35135624DD3ED5DB5A52483C15495CCC5988211B908C24.trump-tiktok-letter-250407-174338.pdf
Kevin Beaumont
CISA Releases Guidance on Credential Risks Associated with Potential Legacy Oracle Cloud Compromise https://www.cisa.gov/news-events/alerts/2025/04/16/cisa-releases-guidance-credential-risks-associated-potential-legacy-oracle-cloud-compromise
GNU social JP is a social network, courtesy of GNU social JP管理人. It runs on GNU social, version 2.0.2-dev, available under the GNU Affero General Public License.
All GNU social JP content and data are available under the Creative Commons Attribution 3.0 license.