Oracle has officially confirmed that a hacker accessed and leaked usernames from two outdated servers, clarifying that its Oracle Cloud Infrastructure (OCI) was not impacted.
In customer notifications shared via email, the company emphasized that no customer environments or data within OCI were accessed or compromised.
The data breach, which first surfaced in March when a threat actor known as rose87168 listed 6 million records for sale on BreachForums, sparked speculation about a potential Oracle Cloud breach. However, Oracle insists that the compromised servers were never part of its modern OCI platform and were instead part of what is now branded as “Oracle Cloud Classic.”
“A hacker did access and publish user names from two obsolete servers… not a part of OCI,” the company stated. Oracle also noted that all passwords were either encrypted or hashed, making them unusable for unauthorized access to live systems.
Despite Oracle’s reassurances, cybersecurity experts have criticized the company for “wordplay,” noting that Oracle Cloud Classic is still an Oracle-managed service. Cybersecurity researcher Kevin Beaumont highlighted that Oracle’s response downplays the incident by using specific branding distinctions, though the services remain under Oracle’s purview.
According to reports from BleepingComputer and cybersecurity firm CybelAngel, the attacker deployed malware and a web shell on legacy Oracle Cloud Classic servers as early as January 2025. Data allegedly stolen includes email addresses, usernames, and hashed passwords, with some records dating as recently as 2025.
This breach follows a separate incident at Oracle Health earlier this year, where another hacker stole patient data from U.S. hospitals and is now attempting to extort affected institutions.
While Oracle continues to deny any breach to its current cloud infrastructure, these back-to-back incidents raise concerns about the security of legacy environments and the transparency of breach disclosures.
