Oracle Reports Data Breach, Citing Hacker Access to Legacy System

• Oracle acknowledged a second security incident that exposed sensitive user information.
• The cloud giant said an unauthorized third party accessed a legacy environment and stole customers’ “old login credentials.”
• While an FBI and CrowdStrike investigation is ongoing, the company announced some credentials may be as recent as 2024.

Oracle Corporation has informed customers that a hacker successfully breached one of its computer systems, stealing old client login credentials. The breach marks the second cybersecurity incident disclosed to Oracle clients in the past month.

On March 20, 2025, a cybercriminal using the “rose87168” alias claimed to have accessed at least two Oracle login systems, exfiltrating 6 million customer records that included encrypted single sign-on (SSO) and LDAP passwords and more.

The threat actor reportedly began attempting to sell stolen data online. The data was allegedly exfiltrated from the cloud servers of Oracle, headquartered in Austin, Texas.

The Bloomberg News report on Wednesday revealed that this breach involved access to what Oracle has described as a "legacy environment," a system no longer in active use for eight years.

According to Bloomberg, the attacker behind the breach sought an extortion payment from the company, although further details of the ransom demand were not disclosed. 

Despite the inactive status of this legacy system, Oracle disclosed that the stolen credentials may include client login information as recent as 2024. Customers were reassured that the compromised credentials pose minimal risk due to the outdated nature of the system. 

Oracle has confirmed to certain clients that the Federal Bureau of Investigation (FBI) and cybersecurity firm CrowdStrike Holdings have launched an investigation into the incident. 

A CrowdStrike representative referred inquiries to Oracle, and Oracle has yet to respond to additional requests for comment from Reuters. 

This breach is reportedly distinct from another incident last month involving Oracle's healthcare customers, resulting in the alleged extortion of hospitals. At that time, Oracle had informed affected clients of an unrelated compromise but provided limited specifics. 

Oracle has assured its clients that it is treating the breach with the utmost seriousness, working closely with federal authorities and cybersecurity professionals to mitigate any potential risks.

Meanwhile, the company was hit with a class-action lawsuit concerning improper protection of PII in an alleged cyberattack on Oracle Cloud.