Oracle's cloud breach exposes customer data due to security flaws

Oracle Corporation faced backlash after admitting that its public cloud infrastructure was compromised, primarily due to a failure to adequately patch its systems. This incident, which occurred in late March 2025, has drawn attention from various stakeholders, including the FBI and information security experts. The breach followed claims by an individual using the alias “rose87168,” who asserted that they had accessed two of Oracle's login servers and stolen approximately six million records, including sensitive customer data such as private security keys and encrypted credentials. In the initial stages following the cyberattack, Oracle vehemently denied any claims of a breach, suggesting that the assertions made by the hacker were false. However, subsequent analyses conducted by information security experts, who reviewed the evidence provided by the hacker, confirmed that Oracle's Cloud Classic product had indeed been infiltrated. It is believed that the breach was made possible by exploiting a vulnerability identified as CVE-2021-35587, which was associated with Oracle Access Manager within the company’s Fusion Middleware suite. Notably, it became apparent that Oracle had failed to patch a critical vulnerability, effectively leaving their own systems vulnerable to attack. When contacted, Oracle provided reassurances to its customers that there was no breach affecting the Oracle Cloud Infrastructure (OCI), emphasizing that the intrusion only targeted older servers not directly associated with OCI. However, experts in the information security community have expressed skepticism regarding Oracle's handling of the situation. Amid increasing scrutiny, two of Oracle's customers received communications from the corporation regarding the data theft, which raised concerns about the company's transparency and responsiveness in managing the security breach. Meanwhile, a lawsuit has already been filed against Oracle in Texas, prompting the company to prepare for potential legal repercussions as parties interested in holding them accountable begin to emerge. The incident has sparked outrage within the infosec community, leading to significant criticism of Oracle's communication strategy. The database giant's letter to customers was perceived as minimizing the severity of the breach while focusing on disclaimers regarding the OCI service being unaffected. Despite the acknowledgment of a data breach, Oracle's assurances that no customer data was accessed or compromised have been met with disbelief and derision by many experts. Furthermore, Oracle's decision to delay notifying customers for approximately 18 days demonstrates a troubling negligence regarding the seriousness of the situation, indicating a potential breach of trust with its clientele. As more details continue to emerge, the ramifications of this breach could extend beyond mere data theft, potentially affecting Oracle's reputation, financial standing, and customer relationships.