BleepingComputer has confirmed the rumor that Oracle has suffered a compromise affecting its legacy environment, including the compromise of old customer credentials (originally denied by Oracle). Oracle notified some affected clients that old legacy data from Oracle Classic (last used in 2017) was involved in the incident. BleepingComputer has reportedly had direct contact with the threat actor, which has “shared data with BleepingComputer from the end of 2024” and posted newer records from 2025 on a hacking forum.
The incident was discovered in late February. According to BleepingComputer, “the attacker allegedly exfiltrated data from the Oracle Identity Manager (IDM) database, including user emails, hashed passwords, and usernames.” The threat actor offered over six million data records for sale on BreachForums on March 20, 2025, alleging the data originated from the Oracle incident.
On April 16, 2025, the Cybersecurity and Infrastructure Security Agency (CISA) released guidance on the “potential legacy Oracle Cloud compromise.” The guidance confirms that the incident’s scope and impact are uncertain but provides information about the risks associated with compromised credentials.
The Alert states:
The compromise of credential material, including usernames, emails, passwords, authentication tokens, and encryption keys, can pose significant risks to enterprise environments. Threat actors routinely harvest and weaponize such credentials to:
- Escalate privileges and move laterally within networks.
- Access cloud and identity management systems.
- Conduct phishing, credential-based, or business email compromise (BEC) campaigns.
- Resell or exchange access to stolen credentials on criminal marketplaces.
- Enrich stolen data with prior breach information for resale and/or targeted intrusion.
The Alert provides recommendations to organizations “to reduce the risks associated with potential credential compromise.” The recommendations are solid for any credential compromise but particularly relevant to Oracle customers.