Oracle is privately alerting select customers about a cloud-related security breach, even as it continues to publicly downplay the situation. A hacker using the alias rose87168 recently surfaced online, claiming to possess millions of records tied to more than 140,000 Oracle Cloud tenants. These records allegedly include encrypted credentials, access tokens, and user details.
The individual behind the breach initially demanded a $20 million ransom. When that approach failed, they pivoted—offering to sell the data or trade it for rare software vulnerabilities, including zero-day exploits.
Oracle, for its part, released a firm denial. The company stated that there had been “no breach of Oracle Cloud,” and emphasized that “no Oracle Cloud customers experienced a data loss.” According to the company, the exposed credentials were not linked to their cloud platform.
Yet evidence contradicting this official position has been shared by the hacker to back up their claims. This includes a sample of 10,000 customer records, access logs, and even a video recording that appears to show an internal Oracle meeting. Screenshots of system-level access and user credentials have also circulated, further fueling doubts about Oracle’s denial.
Independent cybersecurity researchers who reviewed the leaked information noted it appeared to originate from a live production environment. Some cloud customers have privately confirmed that their data is among the leaked files.
While Oracle has issued a public denial, it has not responded to follow-up questions from security experts. However, multiple sources close to the matter say the company has been reaching out to affected customers quietly, offering verbal confirmations of the breach but avoiding written documentation.
These private disclosures suggest that Oracle has acknowledged the breach internally. Reportedly, the affected systems involve legacy infrastructure, possibly dating back to older “Gen 1” cloud servers. These systems may not have been updated in years, but some compromised data allegedly dates from as recently as 2024.
Sources also revealed that the breach exploited a known vulnerability in Java from 2020, which allowed the attacker to install a webshell and infiltrate Oracle’s Identity Management (IDM) database. Once inside, the attacker deployed malware that exfiltrated sensitive data over an extended period.
The unauthorized access reportedly began in January 2025, but Oracle only started investigating in late February. The attacker was removed from the system shortly after demanding ransom in early March.
Some cybersecurity analysts believe Oracle’s use of terms like “legacy” or “Gen 1” is intentional. By distinguishing these older environments from their current offerings, the company may be attempting to sidestep responsibility while still technically denying that “Oracle Cloud” was breached.
Experts warn this type of semantic maneuvering could erode trust. Without full transparency, customers are left uncertain about the true extent of the incident, the types of data exposed, or what protections have been put in place since.
In a related but separate incident, there have also been unconfirmed reports involving a breach in Oracle Health systems, impacting patient records at several U.S. healthcare providers.
