In a significant shift from its earlier denials, Oracle Corp. has confirmed that it experienced a major data breach, notifying select customers about the incident just days after facing a class action lawsuit. The breach reportedly allowed a hacker to access sensitive client login information, including usernames, passkeys, and encrypted passwords, according to Bloomberg.
The silence surrounding the breach has been broken as Oracle begins to privately inform clients of the security compromise, which was labeled by the company as a breach of a legacy system that has not been utilized for eight years. However, Bloomberg’s sources allege that the stolen data includes client credentials from as recently as 2024, casting doubt on Oracle’s description of the incident.
Adding to the controversy, the class action lawsuit, filed in the U.S. District Court for the Western District of Texas, accuses Oracle of failing to secure customer data and concealing the breach from its clients. The lawsuit contends that Oracle’s actions have left customers uncertain about the security of their private information and are seeking a jury trial for damages as well as improved security measures. The suit notes that the breach could impact over 140,000 Oracle Cloud tenants, based on reports of a prior incident that compromised sensitive information of approximately 6 million records.
Cybersecurity experts have raised concerns about the implications of such a breach, arguing that it challenges the fundamental principles of cloud security. Sunil Varkey, an advisor at Beagle Security, commented on the detrimental effects of the breach, stating, “A single hack reportedly exposed 6 million records across 140,000 tenants, and the provider did not even realize the compromise, shattering that illusion of security.”
With legal proceedings unfolding and investigations ongoing, Oracle’s previous assertion that there had been no breach has come under scrutiny, emphasizing the importance of transparency and trust in cloud services. Further inquiry remains unanswered as stakeholders seek clarity amid growing industry concerns about data privacy and security vulnerabilities.