1 week Ago By Iain Thomson
Oracle's letter to customers about an intrusion into part of its public cloud empire - while insisting Oracle Cloud Infrastructure was untouched - has sparked a mix of ridicule and outrage in the infosec community. The memo is now public and, since decoding corporate messaging is part of the job for any Register vulture, we've decided to present the letter in full, with translations-slash-annotations to make sense of it. For those you missed it, this note, emailed this week to Oracle customers, is regarding the intrusion and theft of data from Oracle-hosted servers that you can read about here , here , and here .
Let's start from the top. April 7, 2025 The intruder put data stolen from Oracle up for sale on a cyber-crime forum on March 20 . That it took Big Red roughly 18 days to contact customers about the matter speaks volumes about the seriousness – or lack thereof – with which the database giant is treating this incident.
Dear Oracle customer, Well, this does sound better than "Dear sheep waiting to get shorn." Oracle would like to state unequivocally that the Oracle Cloud - also known as Oracle Cloud Infrastructure - has not experienced a security breach. No OCI customer environment has been penetrated.
No OCI customer data has been viewed or stolen. No OCI service has been interrupted. Nice, but almost no one's saying OCI was breached.
It's Oracle Cloud Classic - Big Red's older, still-active platform - that was hit. This is classic deflection , allowing non-technical folks to report no security breach occurred, when it's pretty clear that something happened. A hacker did access and publish user names from two obsolete servers that were not part of OCI.
We admit we were compromised, and also that we leave obsolete unpatched servers like sitting ducks on the internet. For indeed, the servers were broken into via a hole in Oracle's own middleware on its own tin that it forgot to patch. The thief, going by the handle rose87168, bragged of exfiltrating six million customer records – from security keys to encrypted passwords – during the raid and managed to successfully create a text file on an Oracle Cloud login server, specifically login.
us2.oraclecloud.com.
If Oracle's keeping that kind of stuff on two "obsolete" servers then what else is there left lying around its IT estate? The hacker did not expose usable passwords because the passwords on those two servers were either encrypted and/or hashed. Therefore the hacker was not able to access any customer environments or customer data. Well, yes, we would hope Oracle has one-way encrypted the passwords into hashes.
That's standard. Given these are obsolete servers, apparently, they better not be using obsolete hashing functions. Hashed passwords are not necessarily impossible to crack.
If you have any questions about this notice, please contact Oracle Support or your Oracle Account Manager. Good luck with that. Despite around a dozen requests for details and clarification, Oracle refused to apologize or explain, and only denied everything.
Those customers we've talked to say Big Red has not been responsive or given them any real reassurance. But Larry knows best! Go buy another license, or something. Notably, Oracle hasn't confessed how access was obtained.
The infosec community is not satisfied with the database titan's response. Max Solonski, who has spent over 20 years in the business, was scathing. "Congratulations to the perpetrator - being called 'a hacker' by a megacorp earns some serious street creds," he wrote .
"When you get caught, be sure to deny any data breach allegations, you merely 'accessed some obsolete data.'" Kevin Beaumont, director of emerging threats at Arcadia Group, asked why Oracle has not explained why data was stored on exposed legacy servers. "An exceptionally poor response for a company who manage extremely sensitive data - where Oracle manage services, they place customers last," he opined .
Omri Segev Moyal, co-founder of endpoint security outfit Minerva Labs, accused Oracle of trying to cover up the whole incident. He reminded us that Big Red had tried to remove evidence from the Internet Archive to keep the affair under wraps. "I recommend anyone which uses Oracle cloud to initiate a migration to other more reputable, organized, secured and honest vendors," he said .
"Above all things, cloud relies on trust. Oracle completely destroyed their reputation this time. Big no-no, get out.
" ®.
