Oracle: Oracle admits breach of 'obsolete servers,' denies main cloud platform affected

Oracle has continued to downplay a data breach it suffered earlier this year, insisting in an email sent to customers this week that the hack did not involve its core platform, Oracle Cloud Infrastructure (OCI).Normally, a denial like this would be the end of the story, but the circumstances of this breach and Oracle's confusing response to it over recent weeks have left some questioning the company's account of the incident.This week's email, forwarded to this publication by Oracle, claimed that the incident involved "two obsolete servers" unconnected to the OCI or any customer cloud environments."Oracle would like to state unequivocally that the Oracle Cloud - also known as Oracle Cloud Infrastructure or OCI - has NOT experienced a security breach," stated the letter."No OCI customer environment has been penetrated. No OCI customer data has been viewed or stolen. No OCI service has been interrupted or compromised in any way," it continued. No usable passwords were exposed because these were "encrypted and/or hashed.""Therefore, the hacker was not able to access any customer environments or customer data," the email concluded.Breach timelineBut if the "two obsolete servers" weren't part of the OCI system, what were they part of? And what, if any, customer data did the hacker access? At this point, the opinions of security researchers and the counter-assertions by Oracle, start to diverge.The fact that a breach of some kind had occurred was first made public in March, when a hacker using the moniker 'rose87168' publicized on a breach forum their theft of six million single sign on (SSO) and Lightweight Directory Access Protocol (LDAP) credentials, among other sensitive data, allegedly stolen from the Oracle Cloud platform.If true, that would be a big deal; SSO and LDAP credentials, even if competently hashed, are not something any cloud provider or customer would want to be in the hands of a third party.The hacker told Bleeping Computer that they gained access to the Oracle system in February, after which they had attempted (and failed) to extort payment from Oracle in return for not releasing the data.But even if the hashes remained secure, other sensitive data could be used to mount targeted attacks, noted security company Trustwave:"The dataset includes PII, such as first and last names, full display names, email addresses, job titles, department numbers, telephone numbers, mobile numbers, and even home contact details," wrote Trustwave's researchers, pointing out that the consequences of such a breach could be expensive."For the organizations affected, a leak like this one could result in data breach liabilities, regulatory penalties, reputational damage, operational disruption, and long-term erosion of client trust," they wrote.Oracle subsequently denied the breach claim, telling the media: "The published credentials are not for the Oracle Cloud. No Oracle Cloud customers experienced a breach or lost any data."In early April, the company changed tack slightly, admitting that it had been breached, but insisting that the data had been taken from a "legacy environment" (aka Oracle Classic) dating back to 2017. That story claimed that Oracle had started contacting customers, mentioning that the FBI and CrowdStrike were investigating the incident.This incident was in addition to a separate data breach - described as a "cybersecurity event" - affecting Oracle's healthcare subsidiary, Oracle Health.Doubts emergeSo far so good regarding Oracle's denials, except that the hacker subsequently shared data showing their access to login.us2.oraclecloud.com, a service that is part of the Oracle Access Manager, the company's IAM system used to control access to Oracle-hosted systems.It also emerged that some of the leaked data appeared to be from 2024 or 2025, casting doubt on Oracle's claim that it was old.So, was Oracle's main OCI platform breached or not? Not everyone is convinced by the company's flat denials. According to prominent security researcher Kevin Beaumont, the company was basically "wordsmithing" the difference between the Oracle Classic servers it admits were breached, and OCI servers, which it still maintains were not."Oracle rebadged old Oracle Cloud services to be Oracle Classic. Oracle Classic has the security incident," noted Beaumont in a dissection of the incident and Oracle's response on Medium."Oracle are denying it's on 'Oracle Cloud' by using this scope - but it's still Oracle cloud services, that Oracle manage. That's part of the wordplay." Oracle had also quietly contacted multiple customers to confirm some kind of breach, he said.This leaves interested parties with the unsatisfactory sense that something untoward has happened, without it being clear what.For now, Oracle is sticking to its guns that its main OCI platform is not involved, but perhaps the confusion could have been avoided with better communication.Suffering a breach is hugely challenging for any organization but it sometimes pales beside the problems of communicating with customers, journalists, and the army of interested researchers ready to pick apart every ambiguity. Weeks on from the breach becoming public, those ambiguities have yet to be fully cleared up.