heise PlusAbo
Anzeige

Data leak at Oracle: Up to 2000 German victims? What is known and what is not

Data from the "Oracle Classic" cloud is for sale on the darknet. Analysts agree: the data is genuine. But some pieces of the puzzle are still missing.

listen Print view
Oracle sign in front of the Waterfront Campus in Austin

(Image: JHVEPhoto/Shutterstock.com)

7 min. read
Security
By
Contents

Almost a week after the first reports of a data leak at Oracle, new information is still coming to light, but uncertainties remain. In an initial denial, the US company denied a security incident, but was conspicuously specific in its choice of words. Experts believe this was intentional and refer to authentic-looking data records in underground forums. heise security took a look at the data.

It sounded like a disaster for Oracle: six million data records from customers of the "Oracle Classic" cloud environment were offered for sale by an actor in one of the largest international darknet forums for illegal data trading. However, the company denied: "There was no attack on Oracle Cloud". There are now growing indications that the Oracle denial could be misleading. For example, security researcher Kevin Beaumont suspected in a blog article that Oracle was"playing with words".

Videos by heise

In addition, the company had another clue, namely an archive link to the "Wayback Machine", deleted. The attacker had apparently already created this link at the beginning of March 2025 –. It shows a text file with just 19 characters under the domain "login.us2.oraclecloud.com": the intruder's email address. The attacker therefore apparently had access to a central interface in the classic Oracle cloud environment, at least for a short time. On April 1, 2025, the publication date of this report, the link is restored at the Wayback Machine.

Attack on "the" Oracle Cloud or "an" Oracle Cloud?

At the heart of the discussion between attackers, Oracle and security researchers is the question of whether "the Oracle Cloud" was successfully attacked or not. Oracle itself denies this, but uses a rather peculiar and suspiciously precise nomenclature. In addition to the currently marketed cloud environment (OCI - Oracle Cloud Infrastructure), there is also "Cloud Classic", the predecessor generation of the Oracle Cloud. Although the classic cloud also offers all the functions of the Oracle IaaS cloud, the company would like to move customers to the OCI, as it reveals prominently on the corresponding product page.

The Oracle denial explicitly denies an attack on "Oracle Cloud", i.e. the more modern OCI. It therefore seems certain that customers who only use this and have never used the previous environment are not affected. A test account from heise security, which we created in November 2024, does not appear in the domain list or in the demo data.

2000 German companies affected?

Speaking of demo data: Free samples are part and parcel of selling stolen datasets in underground forums. They should be as up-to-date as possible, but must not reveal too much in order not to make the purchase unattractive. The taster data on the Oracle leak therefore only contains a list of over 140,000 domains, a roughly two-year-old excerpt from an Oracle user database and a presumably seven-year-old text excerpt from an LDAP user tree. This caused a lively discussion among forum participants, especially as the attacker or attackers provided security analysts with an extended, more up-to-date data set.

New, fresh and double-plus-good: The leaker uploaded additional data in the course of March 31 to convince doubters.

(Image: Screenshot / cku)

So did heise security: We have a CSV file containing 10,000 data records, which, in addition to names and encrypted access data, also contains e-mail addresses and tenant IDs, i.e. Oracle-internal customer IDs. Our sample data set alone contains over 1500 unique tenant IDs, so this is not an attack on a single Oracle customer.

The customer list contains over 2100 domains ending in ".de", including many well-known companies and DAX corporations. Banks, food discounters, educational institutions, municipal IT service providers and many medium-sized companies can also be found there, as well as some domains that are more likely to be private individuals or test accesses. We took some random samples and were able to assign names from the leak to current employees of the companies mentioned. In addition, one affected person contacted the editorial team directly.

The security service provider CloudSEK is now offering concerned admins and companies a way to check. They can enter their main domain name in an online form – and this will be compared with the list provided by the attacker. As this is apparently based on the domain part of the email addresses, freemail providers such as GMX, Proton or mailbox.org also appear among the 140,000 domains.

Involuntary devops stream: support video from 2019

Another find that emerged in the wake of the break-in seems rather curious. The almost one-and-a-half-hour recording of a video conference and screen sharing apparently shows a meeting between Oracle support technicians about an update to a database environment in the Oracle Classic cloud. The technicians set up database servers and server environments together – and root passwords for cloud servers that are no longer accessible fly through the frame.

Empfohlener redaktioneller Inhalt

Mit Ihrer Zustimmung wird hier ein externes YouTube-Video (Google Ireland Limited) geladen.

Ich bin damit einverstanden, dass mir externe Inhalte angezeigt werden. Damit können personenbezogene Daten an Drittplattformen (Google Ireland Limited) übermittelt werden. Mehr dazu in unserer Datenschutzerklärung.

The video is not current, but apparently dates back to 2019. The security analysis company Hudson Rock has uploaded the video to YouTube, and there is also a transcript on Github for you to browse through.

More recent is apparently a twenty-second video uploaded to a file hosting service on March 31, which allegedly shows a chat conversation between Oracle customer service and the attacker known as "rose87168". Apparently, the attacker had logged into Oracle's support portal on behalf of a victimized Oracle customer and asked a visibly overwhelmed employee for information on how to proceed.

Callback number? LOL, no! - the Oracle attacker in dialog with customer service.

(Image: Screenshot: cku)

No new information from Oracle

In light of the new information, we asked Oracle for an updated statement. We were particularly interested in whether the company would extend its original denial to the "Oracle Classic" cloud and how it assesses the authenticity of the data already published. However, by the afternoon of April 1, we had not received any feedback – and will update this report as soon as we do.

The first reports of an intrusion or data leak in one of the Oracle clouds appeared at the end of March. It is still unclear how the intruder or intruders gained access to the sensitive data. Several experts suspect that access was gained via an exploit for the vulnerability with the CVE ID CVE-2021-35587, which was already repaired in 2022.

(cku)

Don't miss any news – follow us on Facebook, LinkedIn or Mastodon.

This article was originally published in German. It was translated with technical assistance and editorially reviewed before publication.

Beliebte Bestenlisten

Alle Angebote
Newsletter heise-Bot heise-Bot Push Nachrichten Push Push-Nachrichten