Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Data Breaches

Oracle Faces Mounting Criticism as It Notifies Customers of Hack

Oracle is sending out written notifications to customers over the recent hack after it initially appeared to completely deny a data breach.

Oracle patches

Oracle has started sending out written notifications to customers regarding the recent cybersecurity incident, but faces mounting criticism over the way it handled the disclosure of the hack.

A hacker announced on a cybercrime forum on March 20 that they had hacked Oracle Cloud servers, offering to sell millions of records allegedly associated with over 140,000 tenants, including encrypted/hashed credentials. 

Oracle rushed to categorically deny that there had been a breach of Oracle Cloud systems, making it appear as if it was completely denying getting hacked. 

However, the hacker started leaking stolen information, which security firms assessed as likely being genuine, and some Oracle customers confirmed that their data was included in the leak.

As more evidence of a data breach affecting Oracle systems came to light, Oracle started privately informing customers — reportedly through verbal notifications — that some systems were indeed breached, but pointed out that they were not Oracle Cloud systems.

On April 7, more than two weeks after the hack came to light, Oracle started sending out written notifications to customers, reiterating that Oracle Cloud Infrastructure (OCI) has “NOT experienced a security breach”.

“No OCI customer environment has been penetrated. No OCI customer data has been viewed or stolen. No OCI service has been interrupted or compromised in any way,” reads a notification email obtained by security expert Max Solonski. 

However, the notification confirmed that “a hacker did access and publish user names from two obsolete servers that were never part of OCI”.

Advertisement. Scroll to continue reading.

“The hacker did not expose usable passwords because the passwords on those two servers were either encrypted and/or hashed. Therefore the hacker was not able to access any customer environments or customer data,” Oracle noted.

It’s worth noting that the hacker did admit that they were unable to crack the encrypted passwords.

Solonski and others have criticized Oracle for its response to this incident. Solonski pointed out that it may still be possible for someone to crack the passwords, and noted that even if the hacker only obtained usernames, that could be considered customer data.

Security researcher Kevin Beaumont, who has been monitoring the incident, has also criticized Oracle, describing its notification as “an exceptionally poor response for a company that manages extremely sensitive data”.

Beaumont believes the hacker may have targeted servers associated with Oracle Classic (also referred to as Gen1 servers), which is the name used for legacy cloud services. This enables Oracle to categorically deny a breach of OCI.

Several other questions remain unanswered, including the method used to hack Oracle systems and the age of the compromised data. 

According to some reports, Oracle systems were breached through the exploitation of an old vulnerability. As for the age of the data, Oracle has reportedly told customers that it’s old, but some reports indicated that it’s as recent as 2024 and the hacker claimed to have obtained data from 2025. 

Related: Two CVEs, One Critical Flaw: Inside the CrushFTP Vulnerability Controversy

Related: State Bar of Texas Says Personal Information Stolen in Ransomware Attack

Related: Hacker Leaks Samsung Customer Data

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this event as we dive into threat hunting tools and frameworks, and explore value of threat intelligence data in the defender’s security stack.

Register

Learn how integrating BAS and Automated Penetration Testing empowers security teams to quickly identify and validate threats, enabling prompt response and remediation.

Register

People on the Move

Wendi Whitmore has taken the role of Chief Security Intelligence Officer at Palo Alto Networks.

Phil Venables, former CISO of Google Cloud, has joined Ballistic Ventures as a Venture Partner.

David Currie, former CISO of Nubank and Klarna, has been appointed CEO of Vaultree.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.