Oracle has started sending out written notifications to customers regarding the recent cybersecurity incident, but faces mounting criticism over the way it handled the disclosure of the hack.
A hacker announced on a cybercrime forum on March 20 that they had hacked Oracle Cloud servers, offering to sell millions of records allegedly associated with over 140,000 tenants, including encrypted/hashed credentials.
Oracle rushed to categorically deny that there had been a breach of Oracle Cloud systems, making it appear as if it was completely denying getting hacked.
However, the hacker started leaking stolen information, which security firms assessed as likely being genuine, and some Oracle customers confirmed that their data was included in the leak.
As more evidence of a data breach affecting Oracle systems came to light, Oracle started privately informing customers — reportedly through verbal notifications — that some systems were indeed breached, but pointed out that they were not Oracle Cloud systems.
On April 7, more than two weeks after the hack came to light, Oracle started sending out written notifications to customers, reiterating that Oracle Cloud Infrastructure (OCI) has “NOT experienced a security breach”.
“No OCI customer environment has been penetrated. No OCI customer data has been viewed or stolen. No OCI service has been interrupted or compromised in any way,” reads a notification email obtained by security expert Max Solonski.
However, the notification confirmed that “a hacker did access and publish user names from two obsolete servers that were never part of OCI”.
“The hacker did not expose usable passwords because the passwords on those two servers were either encrypted and/or hashed. Therefore the hacker was not able to access any customer environments or customer data,” Oracle noted.
It’s worth noting that the hacker did admit that they were unable to crack the encrypted passwords.
Solonski and others have criticized Oracle for its response to this incident. Solonski pointed out that it may still be possible for someone to crack the passwords, and noted that even if the hacker only obtained usernames, that could be considered customer data.
Security researcher Kevin Beaumont, who has been monitoring the incident, has also criticized Oracle, describing its notification as “an exceptionally poor response for a company that manages extremely sensitive data”.
Beaumont believes the hacker may have targeted servers associated with Oracle Classic (also referred to as Gen1 servers), which is the name used for legacy cloud services. This enables Oracle to categorically deny a breach of OCI.
Several other questions remain unanswered, including the method used to hack Oracle systems and the age of the compromised data.
According to some reports, Oracle systems were breached through the exploitation of an old vulnerability. As for the age of the data, Oracle has reportedly told customers that it’s old, but some reports indicated that it’s as recent as 2024 and the hacker claimed to have obtained data from 2025.
Related: Two CVEs, One Critical Flaw: Inside the CrushFTP Vulnerability Controversy
Related: State Bar of Texas Says Personal Information Stolen in Ransomware Attack
Related: Hacker Leaks Samsung Customer Data
