The US Cybersecurity and Infrastructure Security Agency (CISA) is urging organisations and individuals to take precautions amid concerns about a potential compromise involving a legacy Oracle cloud environment.
In an alert issued Wednesday, CISA acknowledged ongoing reports of suspicious activity targeting Oracle customers. While the full scope of the threat remains unclear, the agency flagged several risks, particularly around exposed or reused credentials.
CISA’s guidance highlights the danger of credential material—such as usernames, passwords, authentication tokens, and encryption keys—being embedded in scripts, automation tools, or infrastructure templates. If compromised, credentials can grant long-term access to attackers and are often difficult to detect.
The agency is advising organisations to take several steps:
- Reset passwords for users who may have been affected, especially where credentials aren’t managed through centralised identity systems.
- Review and update any scripts, code, or configuration files that may contain hardcoded credentials, replacing them with secure authentication methods.
- Monitor authentication logs for any unusual activity, with extra attention on accounts with administrative or elevated privileges.
- Enforce phishing-resistant multifactor authentication for both user and admin accounts wherever possible.
The advisory follows claims made in recent weeks about a large-scale breach involving up to six million records and as many as 140,000 Oracle tenants. Researchers at CloudSek pointed to a vulnerability in Oracle Cloud’s login system, while TrustWave SpiderLabs said its analysis of a dataset supports the breach claims.
Oracle has publicly denied any compromise of Oracle Cloud Infrastructure (OCI) and maintains customer data has not been affected. Despite the denials, the company hasn’t issued formal guidance or a public advisory to customers. Security professionals say Oracle has communicated with some customers privately but has stayed largely silent in the public domain.
An Oracle spokesperson stated, “There has been no breach of Oracle Cloud (OCI),” to Cybersecurity Dive earlier this month. It said the circulated credentials are unrelated to OCI.
Two lawsuits have already been filed—one against Oracle Health in Missouri, and the other against Oracle Corporation in Texas.
Industry groups are calling for more openness from Oracle. Errol Weiss, chief security officer at the Health-Information Sharing and Analysis Center, said Oracle had yet to respond to an invitation to engage with the group’s members. “We’re disappointed with the lack of transparency from Oracle,” he said.
Jonathan Braley, director of threat intelligence at IT-ISAC, said the CISA advisory offers some direction while stakeholders continue to wait for more detailed information. “The advisory is helpful in that we have a credible report we can share, though it appears CISA has taken a proactive stance of mitigating ”potential unauthorised access” as we all await details from Oracle,” he said.
For now, security experts continue to monitor the situation, repeating calls to Oracle to provide further clarity to its customers and the broader cybersecurity community.
(Photo by Unsplash)
See also: Oracle Cloud denies breach as hacker offers 6 million records for sale
Want to learn more about cybersecurity and the cloud from industry leaders? Check out Cyber Security & Cloud Expo taking place in Amsterdam, California, and London.
Explore other upcoming enterprise technology events and webinars powered by TechForge here.
