Oracle has briefed some customers about a successful intrusion into its public cloud, as well as the theft of their data, after previously denying it had been compromised.

Claims of a cyberattack on Oracle’s cloud service emerged in late March when a miscreant using the handle “rose87168” boasted of cracking into two of Big Red’s login servers for customers and harvesting around six million records, which included clients’ private security keys, encrypted credentials, and LDAP entries. The netizen put the info, involving thousands of organizations, up for sale on a cybercrime forum.

The Safra Catz-run database giant swore blind the claims were false. It turns out the only thing false were the denials.

Multiple information security experts analyzed samples of the stolen data, shared by rose87168 as proof of their heist, and concluded Oracle’s Cloud Classic product was indeed compromised by the thief, likely by exploiting Oracle-hosted login servers that weren’t patched against CVE-2021-35587, a vulnerability in Oracle Access Manager, a product in the Oracle Fusion Middleware suite. Oracle hadn’t patched a hole in its own software on its own systems, leading to the theft of info. No wonder it kept quiet.

The data thief even created a text file in early March on login.us2.oraclecloud.com containing their email address to show they had access at one point.

Now, two of the IT titan’s customers have said Oracle contacted them to quietly discuss the theft of their data from its cloud offering, and had enlisted CrowdStrike to straighten out this mess. The antivirus slinger declined to confirm this, “respectfully” referring The Register to Oracle. It’s said the FBI is also probing the intrusion.

Parts of this article appeared earlier in The Register