Oracle intrusion: company admits to data theft – and continues to play it down
An e-mail to customers mentions an attack, but only superfluous servers and no customer data are affected. Is this yet another case of quibbling?
(Image: KI - erstellt mit Bing Designer fĂĽr heise security)
More than two weeks after a data leak in one of its cloud environments came to light, Oracle has now emailed customers. In the statement, the company tried to minimize the attack and its effects. Oracle Cloud (OCI), Oracle reiterated, had not suffered a security breach. Hackers had not penetrated customer environments, customer data had not been stolen or viewed and OCI services had not been compromised or disrupted, according to the email.
Oracle mentions in the following paragraph that a successful attack nevertheless took place – a “hacker” had published usernames of two superfluous (“obsolete”) servers that were never part of the Oracle Cloud. He also had no access to customer environments or data due to a lack of usable passwords.
Available data speaks a different language
In fact, heise security has demo data sets that originate directly from the attacker. These contain far more than just usernames – in addition to e-mail addresses, various password hashes and the Oracle internal tenant identifiers, the names of the affected systems and numerous timestamps can also be found. These date back to March 2025.
Oracle's claim that the attacker did not access “customer data” therefore reveals that it could have been an internal system of the group – and the personal information of its customers is not customer data for Oracle.
Videos by heise
Eloquent silence at Oracle
So everything is half as bad? That's what Oracle wants its customers to believe, apparently intending to putting this embarrassing episode behind them as quickly as possible. Because Oracle has also had to admit to security problems on another front: Health data was leaked from the acquired company Cerner in February, which even resulted in a class action lawsuit against the parent company meanwhile. However, this was withdrawn by the plaintiff on April 2.
Meanwhile, the Group continues to stonewall heise security and other media. An inquiry on April 1, in which we asked for clarification of the only public statement to date, was not answered by either the spokesperson of the Oracle branch in Germany or its PR agency, let alone a reply. Perhaps the PR professionals thought our detailed inquiries were an April Fool's joke.
Empfohlener redaktioneller Inhalt
Mit Ihrer Zustimmung wird hier ein externer Podcast (Podigee GmbH) geladen.
Ich bin damit einverstanden, dass mir externe Inhalte angezeigt werden. Damit können personenbezogene Daten an Drittplattformen (Podigee GmbH) übermittelt werden. Mehr dazu in unserer Datenschutzerklärung.
And the attacker? After “rose87168” announced a surprise for the weekend on his X account on April 4, the curious will have to wait a little longer: A short forum comment, translatable to “:))) I'm working on something new, wait for it, and sorry for the delay”, is the last sign of life on the afternoon of April 8.
(cku)
