Oracle denies data theft, but evidence suggests otherwise.

Last week, a database allegedly containing internal systems of Oracle was put up for sale on various dark web sites by a user known only as “rose87168”. The seller claimed that the database belonged to Oracle Cloud and contained data from approximately 6 million customers, including usernames, emails, and encrypted passwords. To legitimize the sale, the seller even provided several samples of the stolen information.

However, Oracle denied that their systems had been breached. In their original statement, Oracle stated that they had conducted an investigation and found no evidence of any attack on their systems. They also made it clear that they would not be responding to any further inquiries regarding the incident.

This denial contradicted the details of the leaked data, as several security researchers who analyzed the information confirmed its validity. Yet, the company continued to deny any theft of information.

Some affected customers decided to examine the data themselves and discovered that it was indeed accurate. The original seller claimed to have obtained the data after exploiting a serious vulnerability in the cloud control panel used by the platform, a flaw that was not publicly known at the time.

According to Cloudsek, a company that investigated the attack, the vulnerability appears to have been exploited in the “login.us2.oraclecloud.com” system, which used Oracle Fusion Middleware 11g software. This particular version of the software did contain a vulnerability that could be exploited for attacks, potentially compromising the Oracle Access Manager.

After learning about the data breach, Oracle promptly deactivated the server without providing a specific explanation. However, researchers believe that the data may have been collected from this point of origin and that the vulnerability could have been exploited there.

Despite Oracle’s claims of no attacks or data theft, the existence of evidence proving the authenticity of the data and the possibility of it being obtained through a legitimate flaw in the company’s software raises questions among customers and researchers.

Oracle has not provided any additional information about the attack, and their denial of data theft remains their latest statement on the matter.

Background Information

---

About Oracle:

Oracle Corporation is a important American multinational technology company founded in 1977 and headquartered in Redwood City, California. It's one of the world's largest software and cloud computing companies, known for its enterprise software products and services. Oracle specializes in developing and providing database management systems, cloud solutions, software applications, and hardware infrastructure. Their flagship product, the Oracle Database, is widely used in businesses and organizations worldwide. Oracle also offers a range of cloud services, including Infrastructure as a Service (IaaS), Platform as a Service (PaaS), and Software as a Service (SaaS).

  

Latest Articles about Oracle