Ethical Hacking News
Oracle faces mounting criticism over two recent security breaches in its cloud services, which allegedly resulted in the theft of sensitive customer data. The company's lack of transparency has sparked concerns about its commitment to customer data protection.
Oracle has faced two recent security breaches in its cloud services, resulting in the theft of sensitive customer data. The breaches allegedly exploited a known vulnerability in Oracle's public-facing middleware and Access Manager service. Independent analysis revealed that evidence presented by an individual using the handle "rose87168" appeared to be legitimate. Oracle has denied being compromised, but the company's response has been met with criticism for lack of transparency and accountability. A class-action lawsuit has been filed against Oracle in Texas, alleging negligence and breach of contract related to the security breaches.
Oracle, one of the world's largest and most influential technology companies, has found itself at the center of a maelstrom of controversy surrounding two recent security breaches in its cloud services. The breaches, which allegedly resulted in the theft of sensitive customer data, have sparked widespread criticism of Oracle's handling of the situation, with many questioning the company's transparency and accountability.
According to reports, the first breach occurred on or around February 20, 2025, when an unknown online attacker accessed the login systems of at least two US-based healthcare companies, allowing them to swipe sensitive customer data. The data, which included encrypted single-sign-on (SSO) passwords, security certificates, and other confidential information, was reportedly stolen by exploiting a known vulnerability in Oracle's public-facing middleware.
Oracle quickly denied that its networks or clients had been compromised, claiming that the published credentials were not for the Oracle Cloud. However, independent analysis by various cybersecurity firms revealed that the evidence presented by an individual using the handle "rose87168" appeared to be legitimate, with some Oracle customers confirming that their private data had been entrusted to Oracle and was now in the hands of others.
The second breach reportedly occurred on March 20, 2025, when "rose87168" claimed to have accessed at least two login systems for US-based cloud customers, allowing them to swipe six million records. This alleged breach also involved the abuse of CVE-2021-35587, an easily exploitable vulnerability that allows an unauthenticated attacker with network access via HTTP to compromise Oracle Access Manager.
Despite the mounting evidence, Oracle has remained largely silent on the matter, refusing to comment or provide any details about the breaches. The company's response has been met with criticism from various quarters, including cybersecurity experts and advocates who are calling for greater transparency and accountability from the tech giant.
"We're seeing a classic case ofOracle trying to duck responsibility," said Kevin Beaumont, a security expert at Kenna Security. "By drawing a distinction between Oracle Cloud and Oracle Cloud Classic, they're attempting to avoid acknowledging that part of their public cloud offering was broken into."
This lack of transparency has sparked concerns about Oracle's commitment to customer data protection and its ability to maintain the trust of its users. As one cybersecurity expert noted, "Oracle needs to clearly, openly, and publicly communicate what happened, how it impacts customers, and what they're doing about it. This is a matter of trust and responsibility."
The situation has also raised questions about Oracle's handling of security incidents in general. According to reports, the company had previously acknowledged a similar vulnerability in its Access Manager service in 2022, but failed to patch it promptly.
As a result, various stakeholders are now seeking answers and action from Oracle. A class-action lawsuit has been filed against the company in Texas, alleging negligence and breach of contract related to the security breaches. The lawsuit seeks damages, costs, and promises from Oracle to better protect its customers' data.
In conclusion, the recent security breaches at Oracle have raised serious concerns about the company's commitment to customer data protection and its ability to maintain trust with its users. As the situation continues to unfold, one thing is clear: Oracle must take responsibility for its actions and provide greater transparency and accountability to its stakeholders.
Related Information:
https://www.ethicalhackingnews.com/articles/Oracles-Cloudy-Disregard-A-Web-of-Deceit-and-Breach-Allegations-ehn.shtml
https://go.theregister.com/feed/www.theregister.com/2025/03/31/oracle_reported_breaches/
https://nvd.nist.gov/vuln/detail/CVE-2021-35587
https://www.cvedetails.com/cve/CVE-2021-35587/
Published: Mon Mar 31 18:58:21 2025 by llama3.2 3B Q4_K_M
