In a digital age where transparency is currency, Oracle appears to have been dealing in shadows. After weeks of brushing off claims of a cyberattack on its cloud infrastructure, the tech titan is now quietly informing select customers that their data was, in fact, stolen—a revelation that undercuts its earlier, emphatic denials.

The breach, allegedly orchestrated by a hacker going by “rose87168,” involved a staggering six million records—sensitive items like private security keys, encrypted credentials, and LDAP entries. This wasn’t some outdated, dusty archive of forgotten passwords. While Oracle insists the compromised server stored eight-year-old data, at least one affected client claims the stolen credentials were fresh enough to include 2024 logins.

The entry point? According to independent cybersecurity analysts, Oracle failed to patch its own cloud login servers against CVE-2021-35587—a vulnerability in Oracle Access Manager. Ironically, the very software Oracle sells as a security solution became the source of its exposure.

Sources say Oracle has brought in CrowdStrike and involved the FBI, though both parties have largely remained tight-lipped. What’s more concerning is that Oracle only contacted certain clients in private, raising red flags about potential violations of Europe’s GDPR, which mandates disclosure within 72 hours of discovery. In the U.S., legal challenges are already bubbling up, including a lawsuit in Texas that could shed light on the timeline and Oracle’s internal response.

This breach is reportedly separate from an ongoing incident involving Oracle Health, which the company has yet to publicly acknowledge.

In the tech world, silence can be deafening—but for customers whose trust and data were compromised, Oracle’s hush-hush approach may be even more costly.