>BleepingComputer has confirmed with multiple companies that associated data samples shared by the threat actor are valid.
>In addition to the data, rose87168 shared an Archive.org URL with BleepingComputer for a text file hosted on the "login.us2.oraclecloud.com" server that contained their email address. This file indicates that the threat actor could create files on Oracle's server, indicating an actual breach.
Oracle probably should have just admitted the validity up front.
It's not like there are any real penalties to a breach. Lying about it is probably a worse PR hit than the breach itself.
Have their been any GDPR fines that amount to more than a rounding error of Oracle's revenue? Admittedly, I don't watch too closely, but from the ones I am aware of, I haven't seen any GDPR fines that made me finally think "wow, that might actually count as a punishment". (I would honestly be happy to learn of some!)
There are disclosure laws in the US as well, but again, the fines are like a days worth of revenue. Maybe the breached company has to provide a year of credit monitoring for the affected persons, if lucky.
> In the EU under GDPR you have to disclose within 48h
72h actually, but yes, data protection and breaches to sensitive personal information is taken very seriously in the European Union and its legislation.
Alone the fact that Oracle was hosting their login gateway on a product with a known vulnerability from 2021 with a CVSS score of 9.8 is quite disturbing.
we pay millions to Oracle. We hit a bug and it took 6months for them to reproduce and acknowledge there is a bug. they now seem to be on the lookout for someone being able to produce a fix: sales and indian after-sales can't do that... curious!
Oracle seems just a moneygrabbing shell company at this point and I suppose the whole hyperscaler-cloud is developing towards that point with the leaders of those corporations repeating exactly the same talking points...
Fun fact: Oracle has like 6+ LDAP/directory products, OAM is just one. Theres ODS, OIM, OID, OUD, OVD, NIS leftovers from Sun, and probably more honestly
OAM and OIM aren’t “LDAP/directory products” per se.
OAM is an access management product, used to implement stuff like SSO (single sign-on). So, for example, it comes with a module you can install in Apache which will intercept HTTP requests and redirect them to OAM’s login page - which may potentially talk to an LDAP to authenticate you. Or you can do stuff like define some URL patterns in an app as sensitive so they require a more secure authentication mechanism (such as 2FA or smart card), other URL patterns as less sensitive so password-only login is sufficient
OIM is basically about provisioning accounts from a source system into target systems. Those systems could be LDAPs from various vendors, but can also be HR systems (Oracle’s various offerings and SAP too), IBM mainframes (RACF, TopSecret, ACF2), Unix/Linux hosts, database tables, custom apps… also lets you do things like setup workflows to approve system access requests, you can configure it to require reapproval of high risk access requests by management every X months or else they get revoked (used for Sarbanes-Oxley compliance), etc
Source: I used to work for Oracle Engineering, in a team which handled escalations for these products-especially OIM, but I stuck my fingers in most of them. When I left (back in 2017, so a while ago now) they were putting a lot of effort into their cloud offering (IDCS, more recently replaced by OCI IAM), but I’m sure the on-premise offerings are going to stick around for a long time, especially because they have some customers (e.g. in the national security space) for which cloud is unlikely to be a viable solution any time soon
> In this email exchange, the threat actor says someone from Oracle using a @proton.me email address told them that "We received your emails. Let’s use this email for all communications from now on. Let me know when you get this."
E-mails are one of the sources at most public companies that are required to retain for a period of time (7 yrs?). Probably trying to avoid a paper trail?
Data breaches, unfortunately, have no impact to stock. Companies that use Oracle products are unlikely to migrate any time soon.
_future_ sales may be impacted and maybe some smaller players can migrate off. But Oracle will downplay it as much as possible.
“Deny. Delay. Defend.” Is not just a health insurance slogan.
Okay having worked at a top 3 insurance broker about 10 years ago when “Cyber” policies were being rolled out (h/t Beasley)…I wonder who underwrote Oracle’s policy and how much it was in that tower? No policy? Hope the D&O can cover the shareholder lawsuits! Wait, something something cozy with administration in power, rules subject to interpretation, etc.
Then again, Tyler Technologies blamed Judyrecords.com for their exposing reams of sealed cases in California because of their flawed obfuscation system and claimed it was a security breach (somehow skated on accountability there).
Rule #1 of a breach is never write the word breach in an email, hence the discussion off their dot com I figure…
Deny deny deny. Those that have already drunk the kool-aid will believe your denial. Those that are too lazy to look or only get their info from one source will not know any different than your denial. The rest are just wrong from being in opposition anyways.
It works anywhere as long as you are large enough of an entity
There are 4 big clouds? I had only ever heard of the big 3 mentioned until now (AWS, Azure, GCP). From a quick search, appears that the 4th is Alibaba Cloud.
What about Oracle Opera Cloud and Oracle NetSuite Cloud customer data—have they been stolen as well? Many many hotels around the world use Opera + NetSuite.
Not sure how long it will take them to accept responsibility in this case or at least confirm but Oracle has always played the denying game, it looks like their favorite business practice.
>BleepingComputer has confirmed with multiple companies that associated data samples shared by the threat actor are valid.
>In addition to the data, rose87168 shared an Archive.org URL with BleepingComputer for a text file hosted on the "login.us2.oraclecloud.com" server that contained their email address. This file indicates that the threat actor could create files on Oracle's server, indicating an actual breach.
Oracle probably should have just admitted the validity up front.
It's not like there are any real penalties to a breach. Lying about it is probably a worse PR hit than the breach itself.
> It's not like there are any real penalties to a breach.
Not in the US maybe. In the EU under GDPR you have to disclose within 48h of you realizing (or made aware of) the breach.
There are fines (at least) if you don't disclose it afaik.
Oracle is gonna have issue with the EU, most likely.
Maybe the EU wasn't on the Signal group chat when Oracle notified The Atlantic of the breach
1 reply →
SEC Fact Sheet: Public Company Cybersecurity Disclosures; Final Rules - https://www.sec.gov/files/33-11216-fact-sheet.pdf
3 replies →
Have their been any GDPR fines that amount to more than a rounding error of Oracle's revenue? Admittedly, I don't watch too closely, but from the ones I am aware of, I haven't seen any GDPR fines that made me finally think "wow, that might actually count as a punishment". (I would honestly be happy to learn of some!)
There are disclosure laws in the US as well, but again, the fines are like a days worth of revenue. Maybe the breached company has to provide a year of credit monitoring for the affected persons, if lucky.
18 replies →
> In the EU under GDPR you have to disclose within 48h
72h actually, but yes, data protection and breaches to sensitive personal information is taken very seriously in the European Union and its legislation.
This just in... /s
Seriously though, Sullivan lost his appeal. You should have read up on this.
https://www.courthousenews.com/wp-content/uploads/2025/03/us...
What exactly is the point you are trying to make?
He got in trouble for obstruction of justice and misprison of felony for trying to cover up a breach. Not because there was a breach.
There are basically no punishments for a breach itself. But yes, if you obstruct authorities who investigate, you can get in trouble.
Alone the fact that Oracle was hosting their login gateway on a product with a known vulnerability from 2021 with a CVSS score of 9.8 is quite disturbing.
we pay millions to Oracle. We hit a bug and it took 6months for them to reproduce and acknowledge there is a bug. they now seem to be on the lookout for someone being able to produce a fix: sales and indian after-sales can't do that... curious!
Oracle seems just a moneygrabbing shell company at this point and I suppose the whole hyperscaler-cloud is developing towards that point with the leaders of those corporations repeating exactly the same talking points...
Why are you still on Oracle? (genuine question, no snark)
24 replies →
Fun fact: Oracle has like 6+ LDAP/directory products, OAM is just one. Theres ODS, OIM, OID, OUD, OVD, NIS leftovers from Sun, and probably more honestly
OAM and OIM aren’t “LDAP/directory products” per se.
OAM is an access management product, used to implement stuff like SSO (single sign-on). So, for example, it comes with a module you can install in Apache which will intercept HTTP requests and redirect them to OAM’s login page - which may potentially talk to an LDAP to authenticate you. Or you can do stuff like define some URL patterns in an app as sensitive so they require a more secure authentication mechanism (such as 2FA or smart card), other URL patterns as less sensitive so password-only login is sufficient
OIM is basically about provisioning accounts from a source system into target systems. Those systems could be LDAPs from various vendors, but can also be HR systems (Oracle’s various offerings and SAP too), IBM mainframes (RACF, TopSecret, ACF2), Unix/Linux hosts, database tables, custom apps… also lets you do things like setup workflows to approve system access requests, you can configure it to require reapproval of high risk access requests by management every X months or else they get revoked (used for Sarbanes-Oxley compliance), etc
Source: I used to work for Oracle Engineering, in a team which handled escalations for these products-especially OIM, but I stuck my fingers in most of them. When I left (back in 2017, so a while ago now) they were putting a lot of effort into their cloud offering (IDCS, more recently replaced by OCI IAM), but I’m sure the on-premise offerings are going to stick around for a long time, especially because they have some customers (e.g. in the national security space) for which cloud is unlikely to be a viable solution any time soon
And you can't just use your AD, you have to install OID and have it synchronized.
It just makes me mad.
hey at least they use their own product!
It appears they took dogfooding a little too literally
2 replies →
Check out Oracle's market cap or Ellison's net worth ;)
> In this email exchange, the threat actor says someone from Oracle using a @proton.me email address told them that "We received your emails. Let’s use this email for all communications from now on. Let me know when you get this."
E-mails are one of the sources at most public companies that are required to retain for a period of time (7 yrs?). Probably trying to avoid a paper trail?
Data breaches, unfortunately, have no impact to stock. Companies that use Oracle products are unlikely to migrate any time soon.
_future_ sales may be impacted and maybe some smaller players can migrate off. But Oracle will downplay it as much as possible.
“Deny. Delay. Defend.” Is not just a health insurance slogan.
Okay having worked at a top 3 insurance broker about 10 years ago when “Cyber” policies were being rolled out (h/t Beasley)…I wonder who underwrote Oracle’s policy and how much it was in that tower? No policy? Hope the D&O can cover the shareholder lawsuits! Wait, something something cozy with administration in power, rules subject to interpretation, etc.
Then again, Tyler Technologies blamed Judyrecords.com for their exposing reams of sealed cases in California because of their flawed obfuscation system and claimed it was a security breach (somehow skated on accountability there).
Rule #1 of a breach is never write the word breach in an email, hence the discussion off their dot com I figure…
Classic, Oracle denying breach despite clear evidence.
This is the way.
Deny deny deny. Those that have already drunk the kool-aid will believe your denial. Those that are too lazy to look or only get their info from one source will not know any different than your denial. The rest are just wrong from being in opposition anyways.
It works anywhere as long as you are large enough of an entity
Responding to person with non-company email.. eek.
Attempting to admit something to key customers but they don't do it on letterhead!
https://arstechnica.com/security/2025/03/oracle-is-mum-on-re...
Look for them to sue any messengers shortly.
the sailboat races are on schedule, however
They sponsor a fast car too.
If you ran Oracle you’d appreciate why it wasn’t patched. They do not make it easy.
genuinely curious what kind of demographic is leveraging Oracle for cloud products — all I’ve heard about them suggests long-term pain.
this incident certainly doesn’t help inspire confidence in their offerings.
Multi cloud companies that want pricing leverage at the expense of simplicity (uber is a major customer of all 4 big clouds for example)
There are 4 big clouds? I had only ever heard of the big 3 mentioned until now (AWS, Azure, GCP). From a quick search, appears that the 4th is Alibaba Cloud.
1 reply →
They have free cloud and egress is cheaper.
What about Oracle Opera Cloud and Oracle NetSuite Cloud customer data—have they been stolen as well? Many many hotels around the world use Opera + NetSuite.
How long has oracle been denying it? three days?
Not sure how long it will take them to accept responsibility in this case or at least confirm but Oracle has always played the denying game, it looks like their favorite business practice.
Larry and Trump are in bed. Oracle will(should) fire their OCI and SaaS CISOs