Oracle continues to deny breach, tries to hide evidence

Wayback Machine archive has been scrubbed

Customers and researchers have independently confirmed a breach of Oracle’s systems, but the company continues to downplay, deny and obfuscate.

Oracle has been dealing with the fallout of not one but two data breaches this week – and now it appears to be trying to hide the evidence in the face of further threats.

The controversy began in mid-March, when a threat actor known as ‘rose87168’ claimed responsibility for leaking six million records allegedly stolen from Oracle’s Cloud SSO login service.

The hacker posted samples on the dark web, reportedly containing a list of affected companies, encrypted SSO passwords, Java KeyStore (JKS) files, and LDAP information.

At the time Oracle strenuously denied any breach, dismissing claims by both security firm CloudSEK and the attacker.

“"There has been no breach of Oracle Cloud," a spokesperson said. "The published credentials are not for the Oracle Cloud. No Oracle Cloud customers experienced a breach or lost any data.”

That claim was undermined when rose87168 sent a sample of the data to Alon Gal, co-founder and CTO at cybersecurity business Hudson Rock.

Gal shared the information with some Oracle customers, who confirmed it appeared to be legitimate.

Oracle has remained silent on the matter – causing Gal to call the firm out on LinkedIn.

“With no word from Oracle yet...Rose87168 is indicating they are moving to a new phase, potentially selling or leaking the data. Pretty crazy Oracle just denied this leak which has been verified independently by many cybersecurity firms.”

Security researcher Kevin Beaumont laid into Oracle for attempting to hide the breach using a strict distinction between Oracle Cloud (not breached) and Oracle Classic:

“Oracle are attempting to wordsmith statements around Oracle Cloud and use very specific words to avoid responsibility... Oracle rebadged old Oracle Cloud services to be Oracle Classic. Oracle Classic has the security incident.”

Oracle Classic, by the way, is still a set of cloud services that Oracle manages.

Both Beaumont and another security researcher, Jake Williams, allege that Oracle has been attempting to scrub evidence of the intrusion using the Wayback Machine.

And what is that evidence? Well, rose87168 left a text file on the Oracle Access Manager frontend as proof they were there.

Oracle appears to have had that URL removed from the Wayback Machine on request:

But, as spotted by The Register, you can still find a copy here by tweaking the URL a bit.

Computing says:

The denials, attempts to hide evidence and – according to reports – lack of any formal breach declaration are rapidly turning this into a case study in how not to handle a breach.

Customers have every reason to demand transparency, not wordplay, from a critical service provider like Oracle.

And where, in all this, are the regulators? CISA, the SEC and even the Federal Trade Commission all have reasons to get involved – and that’s just in the USA.