The Oracle Cloud breach 2025: Maintaining cybersecurity resilience and posture

Understanding the Oracle Cloud breach

On March 21, 2025, a user by the pseudonym rose87168 claimed access to Oracle Cloud’s login servers. This claim was posted on BreachForums, an English language black hat–hacking crime forum. The user claimed access to Oracle Cloud’s login servers, which contain sensitive data like single sign on (SSO) and other information that allow for access to user accounts. A list of impacted accounts was provided for organizations to view and take action.¹

Oracle initially denied the breach. But after evidence proved it did occur, they began to reach out to their customers privately.² A follow-up article confirmed Oracle was informing customers, and the investigation has thus far shown that the attacker exploited a critical vulnerability in Oracle Access Manager that was supposedly patched in mid-January 2022.³

This incident impacts over 140,000 customers or organizations that share this cloud environment. The total dollar amount is yet to be determined, but it could be on par with or even exceed the $5.4 billion loss from the CrowdStrike incident from June 2024.⁴

Cloud environments are susceptible to data breaches

The cloud is designed to provide centralization, scalability, and ease of use. It allows organizations to access their data and applications from anywhere, supporting remote workers. It brings reliability of data access with redundancy and backups. And while those benefits are notable, they rely on the security measures that the cloud host provides.

Cloud environments are not immune to data breaches. If the security of the cloud environment is compromised, organizations need to consider measures they can take to best safeguard their data.

Titus Chiu, Enterprise Security Consultant at LMNTRIX, began contacting his clients early on. He advised them to reset the authentication between the identity provider (such as Okta or Microsoft Azure/Entra) and Oracle. He also advised them to change all passwords for accounts, including service accounts. Finally, he recommended disabling the “Break Glass in Case of Emergency” account, which is a highly privileged account used in critical situations when standard access is unavailable or compromised, allowing administrators to regain control and restore operations.⁵ All of these measures can help organizations swiftly and safely respond to a breach.

A robust cybersecurity framework to safeguard your organization

Cybersecurity is best implemented when in layers. While the cloud-hosted environments should have security measures in place, they are subject to compromise, making a comprehensive cybersecurity strategy critical.

The Oracle Cloud breach of 2025 can provide a valuable wake up call for organizations to reevaluate and refine their cybersecurity posture. Here are a few things organizations can do to better protect their data and promote stronger cyber resiliency:

1. Use multi-factor authentication (MFA). Making this a requirement provides greater security for user accounts. Even if an attacker gains access to a user's password, that would not be enough to log in as that user. One of the best ways to enforce this is to use an authentication app on a personal device like a mobile phone. By restricting the app to that one device, you can minimize the risk of an unauthorized user accessing that account.
2. Require periodic password changes. While one may think MFA is enough, passwords are still a fundamental part of authentication. Regular changes can add another barrier against potential threats. If a password is stolen, regularly changing it reduces the window of opportunity for an attacker to access the account.
3. Implement least privilege. Ensure that any user account only has the access they need to perform their job functions. This will minimize the pathways that an attacker can exploit and reduce the overall attack surface. If an account is compromised, the attacker is limited to the restrictions of that user.
4. Plan for and rehearse incidents and resolutions. Planning for a breach can help you be prepared and potentially mitigate the impact. Drills or tabletop exercises (TTX) are very effective rehearsal methods. They allow organizations to test and validate their incident response in a controlled, low-risk environment.
5. Consider an MDR/XDR partner. Managed Detection and Response (MDR) and Extended Detection and Response (XDR) services provide several advantages like 24/7/365 active monitoring. Select a partner that offers advanced threat detection, including artificial intelligence (AI) and machine learning, to identify and analyze threats. Also, look for a partner that can provide rapid incident response to isolate systems and contain threats.

With these measures in place, your organization will be better equipped to identify, respond to, and recover from breaches.

Getting started with a cybersecurity partner

The Oracle Cloud breach of 2025 underscores the importance of a proactive, comprehensive cybersecurity strategy. CAI offers an end-to-end cybersecurity service that can help your organization assess your system vulnerabilities and start proactively planning for a cyber incident. Working alongside LMNTRIX, we offer a Gartner-recognized MDR/XDR solution.

Our team can help you navigate the complex environment of evolving cybersecurity threats and cyber solutions for your organization. Creating better cyber resilience and improved posture. Start proactively protecting your organization by connecting with our cyber experts.

If you’re interested in learning more, fill out the form below.