Oracle is privately informing some customers about a possible cloud system breach—despite publicly denying that any such incident occurred.

A hacker known as “rose87168” has claimed responsibility for the breach, offering for sale what they say is data from over 140,000 Oracle Cloud customers, including encrypted login credentials. Initially, the hacker demanded $20 million from Oracle in exchange for not releasing the data. When that failed, they attempted to sell the information or trade it for zero-day exploits.

In response to media attention, Oracle publicly denied the claims, stating:

“There has been no breach of Oracle Cloud. The published credentials are not for the Oracle Cloud. No Oracle Cloud customers experienced a breach or lost any data.”

Despite this, the hacker has released multiple pieces of evidence to support their claims:

• A sample of 10,000 user records
• A file showing alleged access to Oracle cloud environments
• User credentials
• A video reportedly recorded during an internal Oracle meeting

Cybersecurity experts have reviewed some of the data and believe it to be genuine. The report shows that some Oracle Cloud users have confirmed their information was indeed leaked.

While Oracle continues to publicly deny any breach, independent reports suggest otherwise. According to Bloomberg, Oracle has started quietly notifying affected customers, acknowledging a breach involving usernames, passkeys, and encrypted passwords. The incident is now under investigation by both the FBI and CrowdStrike, a leading cybersecurity firm.

Oracle reportedly told some customers that:

• The breach was tied to a legacy system no longer in use for over eight years
• The exposed credentials pose little risk

However, a separate source told Bloomberg that some of the stolen credentials are from 2024, suggesting that more recent systems may also be affected.

Security firm CyberAngel reported that the breach impacted “Gen 1” cloud servers (older Oracle cloud systems), while newer “Gen 2” servers were not involved. According to their unnamed source:

• The compromised data is at least 16 months old
• It does not include full personal data
• The attacker gained access via a 2020 Java vulnerability
• Malware and a webshell were installed, targeting Oracle’s identity management database
• Oracle discovered the issue in late February 2025
• The hacker was removed in early March, following the first ransom demand

The hacker also claims they accessed data from 2025, further complicating Oracle’s public denials.

Cybersecurity researcher Kevin Beaumont, who has been monitoring the situation, said that Oracle has only notified affected customers verbally, with no written communication. He believes Oracle is using vague wording to avoid admitting that its cloud services were breached.

Beaumont suggests that calling the affected systems “Oracle Classic” instead of “Oracle Cloud” may be a strategic move to deflect responsibility.

“Oracle are attempting to wordsmith statements around Oracle Cloud… This is not okay,” Beaumont said. “They need to clearly, openly, and publicly communicate what happened, how it impacts customers, and what they’re doing about it.”

Adding to the confusion, reports have also surfaced about a separate Oracle Health breach. According to Bleeping Computer, that incident involves patient data from multiple U.S. healthcare providers and appears to be unrelated to the cloud breach.