Oracle still denying confirmed data breach

Says data is from ‘obsolete’ servers, despite modern info in leak

Digital computing cloud symbol. Cyber technology, internet data storage, computer, database and mobile server abstract concept. Production line 3d rendering illustration. Factory with laser burning.

Oracle, which suffered two data breaches last month, continues to deny its cloud service was affected despite evidence to the contrary.

Oracle has finally confirmed that it suffered a data breach in an email to customers, but continues to deny its cloud service was affected.

The saga began last month, when the company clashed with security researchers over claims of a data breach. Researchers said there had been a leak; Oracle said there hadn’t. A spokesperson specifically noted there had been “no breach of Oracle Cloud.”

Oracle apparently repeats that line in a new email sent to customers, seen by Bleeping Computer. The message, from [email protected], says:

“Oracle would like to state unequivocally that the Oracle Cloud - also known as Oracle Cloud Infrastructure or OCI - has NOT experienced a security breach.

"No OCI customer environment has been penetrated. No OCI customer data has been viewed or stolen. No OCI service has been interrupted or compromised in any way.”

Here’s the kicker:

"A hacker did access and publish user names from two obsolete servers that were never a part of OCI. The hacker did not expose usable passwords because the passwords on those two servers were either encrypted and/or hashed. Therefore the hacker was not able to access any customer environments or customer data."

This is all technically true – Oracle Cloud was not breached. Oracle Cloud Classic, however, was. These are the servers the company mentions.

But were they obsolete? Oracle acknowledged the breach in calls with some of its clients last week, saying the “legacy environment” breached was last used in 2017.

The leaked data casts some doubt on that claim, as it contains information from the end of 2024 and even some from 2025.

Last week security researcher Kevin Beaumont attacked Oracle for attempting to hide the breach using the distinction between OCI and Cloud Classic:

“Oracle are attempting to wordsmith statements around Oracle Cloud and use very specific words to avoid responsibility... Oracle rebadged old Oracle Cloud services to be Oracle Classic. Oracle Classic has the security incident.”