Cyber Incident Victim: Oracle Corporation
Date:
Nov 2025
Location:
United States of America
Summary
Oracle informed clients that a hacker accessed a legacy system and stole old login credentials, marking the second breach disclosed to customers in recent weeks. The company said the Federal Bureau of Investigation and CrowdStrike are investigating, and the attacker attempted to sell the data online. It noted the compromised environment had been unused for eight years and that the stolen credentials pose little risk, adding that this incident is separate from an earlier breach affecting healthcare customers.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
Last month, in March 2025, an unidentified individual began attempting to sell data that had been stolen from Oracle’s cloud servers based in Austin, Texas, prompting the company to acknowledge a hacking incident to some healthcare customers. In early April 2025, Oracle informed clients of a second recent cybersecurity breach, stating that a hacker had broken into a computer system and stolen old client log‑in credentials. The company described this incident as separate from the earlier healthcare‑focused hacking event it had disclosed the previous month. Oracle told some affected customers that the Federal Bureau of Investigation and the cybersecurity firm CrowdStrike Holdings are investigating the breach.
The attacker gained access to a legacy environment that Oracle confirmed had not been in use for eight years, and the stolen data included customer log‑in credentials dating back as recently as 2024. Oracle emphasized that, because the system had been inactive for so long, the compromised credentials pose little risk to current operations. The company also disclosed that the attacker had sought an extortion payment from Oracle in connection with the breach. Oracle staff acknowledged to certain clients this week that the intrusion had occurred within the legacy system, reinforcing the assessment of limited impact.
In response, Oracle notified its customers about the breach, provided details about the involvement of federal investigators and CrowdStrike, and reiterated that the affected system is outdated and no longer serves active workloads. The company maintained that the stolen credential data does not present a significant threat to its clients’ security posture. No further specifics about the extent of the data exfiltration or the attacker’s identity were disclosed in the reported statements.