The US Cybersecurity and Infrastructure Security Agency (CISA) is urging organisations and individuals to take precautions amid concerns about a potential compromise involving a legacy Oracle cloud environment.
In an alert issued Wednesday, CISA acknowledged ongoing reports of suspicious activity targeting Oracle customers. While the full scope of the threat remains unclear, the agency flagged several risks, particularly around exposed or reused credentials.
CISA’s guidance highlights the danger of credential material—such as usernames, passwords, authentication tokens, and encryption keys—being embedded in scripts, automation tools, or infrastructure templates. If compromised, these credentials can grant long-term access to attackers and are often difficult to detect.
The agency is advising organisations to take several key steps:
- Reset passwords for users who may have been affected, especially where credentials aren’t managed through centralised identity systems.
- Review and update any scripts, code, or configuration files that may contain hardcoded credentials, replacing them with secure authentication methods.
- Monitor authentication logs for any unusual activity, with extra attention on accounts with administrative or elevated privileges.
- Enforce phishing-resistant multifactor authentication for both user and admin accounts wherever possible.
This advisory follows claims made in recent weeks about a large-scale breach involving up to 6 million records and as many as 140,000 Oracle tenants. Researchers at CloudSek pointed to a vulnerability in Oracle Cloud’s login system, while TrustWave SpiderLabs later said its analysis of a dataset supports those breach claims.
Oracle has publicly denied any compromise of its Oracle Cloud Infrastructure (OCI) and maintains that customer data has not been affected. Despite these denials, the company hasn’t issued formal guidance or a public advisory outlining next steps for customers. Security professionals say Oracle has communicated with some customers privately but has stayed largely silent in the public domain.
“There has been no breach of Oracle Cloud (OCI),” an Oracle spokesperson reiterated to Cybersecurity Dive earlier this month, adding that the credentials being circulated are unrelated to OCI.
Even so, two lawsuits have already been filed—one against Oracle Health in Missouri, and another against Oracle Corporation in Texas.
Some industry groups are calling for more openness from Oracle. Errol Weiss, chief security officer at the Health-Information Sharing and Analysis Center, said Oracle had yet to respond to an invitation to engage with the group’s members. “We’re disappointed with the lack of transparency from Oracle,” he said.
Jonathan Braley, director of threat intelligence at IT-ISAC, said the CISA advisory offers some direction while stakeholders continue to wait for more detailed information. “The advisory is helpful in that we have a credible report we can share, though it appears CISA has taken a proactive stance of mitigating ”potential unauthorised access” as we all await details from Oracle,” he said.
For now, security experts continue to monitor the situation, calling on Oracle to provide further clarity to its customers and the broader cybersecurity community.
(Photo by Unsplash)
See also: Oracle Cloud denies breach as hacker offers 6 million records for sale
Want to learn more about cybersecurity and the cloud from industry leaders? Check out Cyber Security & Cloud Expo taking place in Amsterdam, California, and London.
Explore other upcoming enterprise technology events and webinars powered by TechForge here.
