Oracle Corp. has reportedly told some customers that a hacker broke into computer systems and stole old client login credentials.

The admission comes after the company publicly denied any breach had taken place following a hacker offering allegedly stolen Oracle data on BreachForums.

Bloomberg, referencing two people familiar with the matter, claims that Oracle staff told clients that the attacker gained access to usernames, passkeys and encrypted passwords. It is also claimed that Oracle told the clients that they had contacted the U.S. Federal Bureau of Investigation and had tapped CrowdStrike Holdings Inc. to investigate the incident.

Oracle also reportedly told clients that the breach was separate from another breach involving healthcare customers last month. Oracle has yet to publicly comment on the report.

The hack, the alleged latest one we know of, involved a hacker going by the name “rose87168” claiming on March 20 to have exploited a critical vulnerability in Oracle Access Manager to gain access to Oracle Cloud Infrastructure. The hacker claimed to have stolen more than 6 million records tied to more than 140,000 tenants, comprising credentials, OAuth2 keys and internal tenant configurations.

When reports first emerged, a spokesperson for Oracle denied the claim, saying that “there has been no breach of Oracle Cloud” and that “the published credentials are not for the Oracle Cloud. No Oracle Cloud customers experienced a breach or lost any data.”

The problem with Oracle’s denial is that the data offered by the hacker on BreachForums was seemingly legitimate according to security researchers and companies, people who have no skin in the game to lie or try to damage Oracle with false allegations.

Among the first to question Oracle’s denial was Trustwave Holdings Inc., which found that the structure and content of the sample data appeared consistent with real environments, particularly those using Oracle’s SSO and LDAP systems. The company’s researchers also noted that Oracle’s denials have not been supported by detailed technical counter-evidence.

The samples provided by the hacker were core to the conclusion, one backed up by other cybersecurity companies.

“Several other security researchers and vendors have also analyzed the sample. At least three Oracle Cloud customers reportedly confirmed their information was present in the leaked data, further supporting its authenticity,” Ensar Seker, chief information security officer at cybersecurity intelligence firm SOCRadar Cyber Threat Intelligence Inc., explained to SiliconANGLE via email. “These confirmations, along with observed indicators of attack such as irregular logins and suspicious file activity, suggest that the breach may indeed be real.”

The hacker continues to provide screenshots and additional data fragments to prove the claim, he added. “The screenshot illustrates structured user data likely sourced from an identity management system,” he said. “The actor also claims to have exploited a known vulnerability (potentially CVE-2021-35587), though this has not been confirmed.”

Image: SiliconANGLE/Reve