Oracle Corporation has recently confirmed a data breach involving its older Gen 1 servers, marking its second cybersecurity incident disclosed in recent weeks. This breach highlights vulnerabilities in legacy systems and raises concerns about the company’s ability to safeguard sensitive client data.
The breach was first reported by a threat actor known as “rose87168,” on Breachforums on March 20, 2025. The attacker claimed access to approximately 6 million data records, including usernames, email addresses, hashed passwords, and sensitive authentication credentials such as Single Sign-On (SSO) and Lightweight Directory Access Protocol (LDAP) information. Moreover, Java Key Store (JKS) files and Enterprise Manager JPS keys were exfiltrated. While no complete Personally Identifiable Information (PII) was exposed, Oracle confirmed that the compromised data is about 16 months old. The hacker exploited a 2020 Java vulnerability to deploy malware and a web shell targeting Oracle’s Identity Manager (IDM) database. The attacker reportedly gained access in January 2025 and remained undetected until late February, prompting Oracle to launch an internal investigation.
Oracle swiftly notified affected clients and reinforced security measures for its Gen 1 servers. The company emphasized that its Gen 2 servers and primary Oracle Cloud infrastructure remain unaffected. CybelAngel reported that Oracle privately acknowledged unauthorized access to legacy systems. The company is urging impacted clients to reset credentials, monitor for suspicious activity, and implement additional security measures to prevent further exploitation. The attacker, “rose87168,” demanded a $20 million ransom from Oracle and expressed interest in exchanging stolen data for zero-day exploits. Security researchers validated portions of the stolen data, confirming the breach’s authenticity.
This incident has drawn additional scrutiny over Oracle’s security measures given its recent history of cyberattacks. Oracle disclosed another breach involving its Health division’s legacy Cerner servers, where patient data from U.S. healthcare organizations was compromised. Although Oracle maintains these incidents are unrelated, the timing of the breaches has raised concerns about the company’s overall cybersecurity posture. Experts warn that vulnerabilities in legacy systems, like the Gen 1 servers, pose significant risks if left unaddressed. The incident underscores the challenges large enterprises face in securing outdated infrastructure while migrating to modern platforms.
Oracle’s response highlights the complexities of defending against evolving cyber threats and reinforces the need for comprehensive security measures in the face of increasingly sophisticated attacks. This breach serves as a reminder of the importance of proactive cybersecurity measures and the ongoing battle to protect sensitive data in an ever-evolving threat landscape. Oracle’s commitment to addressing the breach and enhancing security protocols demonstrates the ongoing effort to maintain trust with clients and stakeholders in the face of cyber threats.