Oracle Corp. has told customers that a hacker broke into a computer system and stole old client log-in credentials, according to two people familiar with the matter. It’s the second cybersecurity breach that the software company has acknowledged to clients in the last month.
Oracle staff informed some clients this week that the attacker gained access to usernames, passkeys and encrypted passwords, according to the people, who spoke on condition that they not be identified because they’re not authorized to discuss the matter.
Oracle also told them that the FBI and cybersecurity firm CrowdStrike Holdings Inc. are investigating the incident, according to the people, who added that the attacker sought an extortion payment from the company. Oracle told customers that the intrusion is separate from another hack that the company flagged to some health-care customers last month, the people said.
An Oracle representative didn’t respond to messages seeking comment. The FBI declined to comment, while a CrowdStrike representative referred questions to Oracle.
Information about the stolen credentials started coming out last month, when an unidentified person began trying to sell data online that they claimed to have stolen from the Austin, Texas-based company’s cloud servers. Following these claims, which were previously reported by Bleeping Computer, Oracle denied that its cloud storage product had been hacked.
In a statement to customers, which was seen by Bloomberg News, the company said, “There has been no breach of Oracle Cloud. The published credentials are not for the Oracle Cloud. No Oracle Cloud customers experienced a breach or lost any data.”
This week, Oracle staff acknowledged to some clients that an attacker had gotten into what the company called a “legacy environment,” according to the people. The company informed customers that the system hasn’t been in use for eight years and that the stolen client credentials therefore pose little risk, the people said.
A third person familiar with the breach said the stolen data included Oracle customer log-in credentials from as recently as 2024. That person also spoke on condition that they not be identified because they’re not authorized to discuss the matter.
Researchers from the cybersecurity company Trustwave Holdings Inc. validated the data posted for sale online as directly extracted from Oracle, according to Karl Sigler, senior security research manager at Trustwave SpiderLabs Threat Intelligence. He described the stolen material as a “rich dataset” that could be used by hackers to send out phishing emails and potentially take over people’s accounts.
Separately, hackers broke into another Oracle computer system and stole patient data in an attempt to extort multiple medical providers in the US, Bloomberg News reported late last month.
In March, Oracle alerted some users of its patient records management software that sometime after Jan. 22, hackers accessed company servers and copied patient data to an outside location, according to a notification the software company sent to clients.
Photo: Oracle offices in Redwood City, California. Photographer: David Paul Morris/Bloomberg
Copyright 2025 Bloomberg.
Topics
Cyber
Fraud
Interested in Cyber?
Get automatic alerts for this topic.
