Oracle has informed customers that a malicious actor accessed a computer system, stealing old login credentials for clients. This is the second cyber breach the organization has experienced in the last month, following Oracle’s initial denial of a cyber incident. According to the organization, this new incident is separate from the previous hacking event. 

Breaking down the incident 

Casey Ellis, Founder at Bugcrowd:

Oracle’s recent admission about the breach involving two outdated servers brings up several critical points worth unpacking:

• Assessing Oracle’s Data Protection Claims: Oracle mentioned that the compromised servers stored usernames with passwords that were "encrypted and/or hashed." While encryption and hashing are foundational security practices, their effectiveness hinges on the algorithms and implementations used. Without specifics, it’s hard to gauge the actual security of the exposed data. The attacker, “rose87168,” reportedly failed to crack the credentials, which suggests a strong protection mechanism, but the absence of detailed information leaves room for doubt.
• Threat Level of the Exposed Data: Although the attacker admitted they couldn’t crack the passwords, the exposure of usernames alone isn’t harmless. Usernames can be weaponized in social engineering attacks or combined with other breached data to facilitate credential stuffing. Even seemingly benign data can become dangerous when aggregated, so organizations should treat this as a potential risk.
• Exploitation Risks and Mitigation Steps: Attackers could use the leaked usernames to craft targeted phishing campaigns or cross-reference them with other breached credentials.
• Transparency and Disclosure Issues: Oracle’s initial denial of the breach has drawn criticism. Their eventual acknowledgment highlights the importance of timely, coordinated, and transparent communication. Delayed disclosures can leave affected organizations exposed for longer, undermining trust and delaying protective actions.

While the immediate fallout from this breach seems limited, it serves as a reminder of the importance of proactive security measures and clear, honest communication during incidents.

Expanding on encryption

Rom Carmel, Co-Founder and CEO at Apono:

Hashing passwords and encrypting data are essential steps in limiting the fallout of a breach — but not all encryption is created equal. With incomplete information and hacker-supplied claims, it’s hard to fully assess the risk posed by stolen passwords. That said, if best practices were followed, sensitive credentials should have already been rotated, especially given the age of the data. To effectively reduce risk, organizations need a layered security strategy — strong encryption paired with micro-segmentation, credential management, and granular access controls. This means limiting access to only what users need, when they need it, and for as long as necessary. As more companies move to the cloud, adopting a least privilege model and managing the attack surface is no longer optional — it’s foundational.

Darren Guccione, CEO and Co-Founder at Keeper Security:

Even when passwords are encrypted, cybercriminals have several potential attack vectors. When passwords are properly protected with strong encryption, cybercriminals cannot directly read them, however, they may try other techniques including brute force and password hash attacks. A brute force attack is when a threat actor attempts to guess an encryption key, however, this is extremely difficult. Cybercriminals may also try to launch password hash attacks using rainbow tables or other methods.

Although Oracle has stated the attacker was not able to access any customer environments or data, customers can — and should — take measures to protect themselves. Organizations using cloud services must ensure strong password management policies, enforce least-privilege access and protect credentials with robust encryption. A zero-trust approach, where access is continuously verified, helps mitigate the risk of unauthorized access, even if credentials are compromised. A layered security model that includes Privileged Access Management (PAM), Multi-Factor-Authentication (MFA) and strong encryption is vital for minimizing the impact of a breach. Automated credential rotation using a PAM solution reduces exposure and strong access controls for privileged resources limit the potential damage if a cyber attack occurs.