Oracle Cloud Breaches Lead to CISA Guidance and Lawsuits

Multiple Oracle security incidents have led to government agency guidance and class action suits in recent months. In January 2025, a significant security breach targeted Oracle Cloud, exploiting a Java vulnerability to deploy malware into Oracle’s Identity Manager database. The attacker exfiltrated sensitive authentication data, including usernames, hashed passwords, SSO credentials, and LDAP passwords, affecting over 140,000 Oracle Cloud tenants. 

Oracle has publicly denied that its main cloud platform, Oracle Cloud Infrastructure (OCI), was breached, stating in an April 7, 2025 customer notice that no customer data or environments were compromised. However, Oracle acknowledged a security incident involving two obsolete servers unrelated to OCI, from which a hacker accessed usernames but not usable passwords. 

Additionally, in a separate incident, Oracle Health (formerly Cerner), a provider of electronic health record (EHR) systems, experienced a breach involving legacy servers not yet migrated to Oracle Cloud. A hacker reportedly used stolen credentials to access these servers in January 2025, prompting an FBI investigation. The hacker is allegedly extorting Oracle Health customers, demanding cryptocurrency payments to withhold publishing stolen data, which likely includes protected health information.

CISA Guidance

On April 16, 2025, the Cybersecurity and Infrastructure Security Agency (CISA) issued guidance on credential risks associated with the legacy Oracle Cloud compromise on 16 April 2025. Although CISA noted that the exact scope of breach remains unconfirmed, CISA highlighted the following risks associated with the breach:: 

• The compromise of credential material, including usernames, emails, passwords, authentication tokens, and encryption keys, can pose significant risk to enterprise environments.
• Embedded or hard coded credentials in scripts, applications or automation tools are difficult to detect and can facilitate long-term unauthorized access.
• Threat actors routinely harvest and weaponize such credentials to: 
•  Escalate privileges and move laterally within networks.
• Access cloud and identity management systems.
• Conduct phishing, credential-based, or business email compromise (BEC) campaigns.  
• Resell or exchange access to stolen credentials on criminal marketplaces.
• Enrich stolen data with prior breach information for resale and/or targeted intrusion. 

CISA recommended that organizations: 

• Reset passwords for affected accounts, particularly for nonfederated credentials.
• Review and replace hardcoded credentials with secure authentication methods, such as centralized secret management.
• Monitor authentication logs for any anomalous activity, especially for privileged, service, or federated identity accounts, and assess whether additional credentials (such as API keys and shared accounts) may be associated with any known impacted identities.
• Implement phishing-resistant multi-factor authentication wherever possible. 

Class Action Suit 

The Oracle breaches have led to multiple lawsuits as well. First, on March 31, 2025, a lawsuit was filed in the Western District of Texas alleging that Oracle failed “to implement reasonable and industry standard data security practices to properly secure, safeguard, and adequately destroy sensitive personal identifiable information.” Second,a lawsuit was filed in the U.S. District Court for the Western District of Missouri against Oracle Health, alleging negligence in securing sensitive patient data following Oracle’s 2022 acquisition of Cerner. The plaintiffs claim they were not notified of the breach and now face increased risks of identity theft. The lawsuit seeks damages and injunctive relief requiring Oracle Health to strengthen its cybersecurity measures and increase transparency.