CISA Issues Alert on Potential Legacy Oracle Cloud Compromise

Linn Freedman
Robinson+Cole Data Privacy + Security Insider
Contact
LinkedIn
Facebook
X
Send
Embed

BleepingComputer has confirmed the rumor that Oracle has suffered a compromise affecting its legacy environment, including the compromise of old customer credentials (originally denied by Oracle). Oracle notified some affected clients that old legacy data from Oracle Classic (last used in 2017) was involved in the incident. BleepingComputer has reportedly had direct contact with the threat actor, which has “shared data with BleepingComputer from the end of 2024” and posted newer records from 2025 on a hacking forum.

The incident was discovered in late February. According to BleepingComputer, “the attacker allegedly exfiltrated data from the Oracle Identity Manager (IDM) database, including user emails, hashed passwords, and usernames.” The threat actor offered over six million data records for sale on BreachForums on March 20, 2025, alleging the data originated from the Oracle incident.

On April 16, 2025, the Cybersecurity and Infrastructure Security Agency (CISA) released guidance on the “potential legacy Oracle Cloud compromise.” The guidance confirms that the incident’s scope and impact are uncertain but provides information about the risks associated with compromised credentials.

The Alert states:

The compromise of credential material, including usernames, emails, passwords, authentication tokens, and encryption keys, can pose significant risks to enterprise environments. Threat actors routinely harvest and weaponize such credentials to:

  • Escalate privileges and move laterally within networks.
  • Access cloud and identity management systems.
  • Conduct phishing, credential-based, or business email compromise (BEC) campaigns. 
  • Resell or exchange access to stolen credentials on criminal marketplaces.
  • Enrich stolen data with prior breach information for resale and/or targeted intrusion.

The Alert provides recommendations to organizations “to reduce the risks associated with potential credential compromise.” The recommendations are solid for any credential compromise but particularly relevant to Oracle customers. 

[View source.]

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations. Attorney Advertising.

© Robinson+Cole Data Privacy + Security Insider

Written by:

Robinson+Cole Data Privacy + Security Insider
Robinson+Cole Data Privacy + Security Insider
Contact
more
less

PUBLISH YOUR CONTENT ON JD SUPRA NOW

  • Increased visibility
  • Actionable analytics
  • Ongoing guidance

Robinson+Cole Data Privacy + Security Insider on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide