Skip to main content
close search
site logo

CISA warns companies to secure credentials amid Oracle Cloud breach claims

The agency is asking organizations to come forward if they detect suspicious activity or other evidence of a compromise.

Published April 17, 2025
David Jones's headshot
Reporter
Oracle office in Lehi City, Utah, USA, June 25, 2023.
Oracle office in Lehi City, Utah, June 25, 2023. The Cybersecurity and Infrastructure Security Agency is asking organizations and individuals to secure their IT environments amid claims by a hacker to have a large trove of customer credentials. JHVEPhoto via Getty Images

The Cybersecurity and Infrastructure Security Agency on Wednesday said organizations and individuals should take steps to protect their environments from a potential compromise of a legacy Oracle cloud environment. 

CISA’s alert acknowledged public reporting of alleged threat activity targeting Oracle customers but said the scope and impact of that activity was unconfirmed. The FBI earlier this month declined to comment on the reported attacks. 

CISA warned the nature of the reported threat activity posed a risk to organizations and individuals, particularly in situations where credential material could be exposed, reused across separate and unaffiliated systems, or embedded into applications and tools. 

CISA said embedded situations could involve credential material that has been hardcoded into scripts, applications, infrastructure templates or automation tools. The agency said embedded credential material can be hard to detect and can enable long-term access by an unauthorized actor. 

“The compromise of credential material, including usernames, emails, passwords, authentication tokens and encryption keys, can pose significant risk to enterprise environments,” according to the guidance. 

CISA said organizations should take the following steps: 

  • Reset passwords for known affected users, particularly in cases where local credentials may not be federated through enterprise identity solutions. 
  • Review source code, infrastructure as code templates, automation scripts and configuration files for hardcoded or embedded credentials. They should be replaced using secure authentication methods supported by centralized secret management.
  • Authentication logs should be monitored for anomalous activity, especially using privileged, service or federated identity accounts.
  • Phishing resistant multifactor authentication should be enforced for all user and administrator accounts when possible. 

The CISA guidance comes more than a month after a threat actor claimed a massive breach involving up to 6 million records, potentially affecting up to 140,000 tenants. Security firm CloudSek issued research pointing to a hacker exploiting a vulnerability in Oracle Cloud’s login endpoint.

TrustWave Spiderlabs provided additional research supporting the claimed breach after analyzing a dataset in March. 

Oracle has denied any breach of the Oracle Cloud environment but has given no clear explanation after multiple research firms reviewed evidence of the alleged breach. 

A class-action lawsuit was filed against Oracle Health in the U.S. District Court in Western District of Missouri, and a separate case was filed in March against Oracle Corp. in U.S. District Court for the Western District of Texas. 

Oracle has not provided any public advisories or guidance on what customers should do in response to these claims. Information security officials told Cybersecurity Dive the company has privately advised certain customers that sought help but has not issued any public advisories.

“There has been no breach of Oracle Cloud (OCI),” an Oracle spokesperson told Cybersecurity Dive earlier this month via email. “The published credentials are not for OCI. No OCI customers have experienced a breach or lost any data.”

Information security leaders said they are still seeking more transparency from Oracle, which has declined to publicly explain these reports beyond issuing denials that Oracle Cloud was breached. 

Jonathan Braley, director of threat intelligence at IT-ISAC, said the organization has continued to engage with members with the information that has been made available. 

“The advisory is helpful in that we have a credible report we can share, though it appears CISA has taken a proactive stance of mitigating " potential unauthorized access" as we all await details from Oracle,” Braley said via email.

“We’re disappointed with the lack of transparency from Oracle,” Errol Weiss, chief security officer at Health-Information Sharing and Analysis Center, told Cybersecurity Dive via email. “We’ve invited them to share through our member-only community, but that offer has not been acted upon yet.”

Editors' picks

Company Announcements

View all | Post a press release
As Attacks Grow on Critical Infrastructure, New RunSafe Tool Scores Hidden Threats in Embedded…
From RunSafe Security
April 07, 2025
360 Privacy Announces Strategic Executive Appointments Following $36 Million Growth Investment
From 360 Privacy
March 31, 2025
GitGuardian Launches NHI Governance: Bringing Order to the Chaos of Non-Human Identity Security
From GitGuardian
April 15, 2025
Why One Startup Thinks Cybersecurity Tools Aren’t the Problem—But How We Use Them Is
From Trevor Lane
April 14, 2025
Editors' picks
Latest in Breaches
Industry Dive is an Informa TechTarget business.
© 2025 TechTarget, Inc. or its subsidiaries. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell
This website is owned and operated by Informa TechTarget, part of a global network that informs, influences and connects the world's technology buyers and sellers. All copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. TechTarget, Inc.'s registered office is 275 Grove St. Newton, MA 02466.