Federal officials have issued a cybersecurity alert in response to a breach involving legacy Oracle systems, warning that exposed credentials could pose long-term risks to organizations, reports The Record. While Oracle has claimed its Cloud Infrastructure (OCI) remains unaffected, hackers reportedly accessed usernames from outdated servers. The breach first gained public attention after the attacker advertised the stolen data online, prompting a broader investigation involving the FBI and cybersecurity firm CrowdStrike.
Security researchers have since confirmed that sensitive data, including encrypted passwords and key files, was compromised in the attack. The threat actor, operating under the alias “rose87168,” allegedly extracted millions of records from Oracle Cloud’s SSO and LDAP systems. With over 140,000 tenants affected, victims span across multiple industries and regions. The attacker has also been soliciting payment from affected organizations in exchange for deleting stolen information.
CISA emphasized that even without full confirmation of the breach’s scope, the leaked credential material could enable attackers to maintain unauthorized access, conduct phishing attacks, or escalate privileges within enterprise environments. The agency pointed out the particular danger of embedded credentials, which are difficult to detect and remove once exposed.
In response, CISA has urged potentially impacted organizations to reset all relevant credentials, scrutinize authentication logs for unusual behavior, and report any suspicious activity. While Oracle has not commented on the agency’s notice, multiple customers have verified that their data was included in the compromised dataset, raising further questions about the incident’s reach and Oracle’s response strategy.
