The Oracle of Truth 🔮 | Personal Gmail for work 📧 (by the US Government)

#180 - Oracle Cloud was allegedly breached. The company denies | After using Signal for war communications...

Apr 02, 2025

Oracle’s handling of breach allegations is a lesson to other providers.

red heart ornament on pink textile — Photo by Michael Dziedzic on Unsplash

CloudSEK, a threat research firm, found a threat actor purportedly selling data of Oracle Cloud customers. They called it “The biggest supply chain hack of 2025”.

Oracle denied it. They said they were never breached.

Then the alleged threat actor released 10k records just to show that they have the data. CloudSEK did a deep dive on the breach. Independent security researchers worked with the records and some customers identified it as their records.

Oracle continued to deny that they were breached.

The security community did not take to it too kindly.

This post succinctly summarizes what the security community felt An extract:

Heath Renfrow, CISO and Co-founder at Fenix24, expands on the overall threat that this data breach presents: “Regardless of Oracle’s position, the presence of a threat actor-uploaded file in the webroot of what appears to be an Oracle Cloud Infrastructure (OCI) login subdomain is deeply concerning. This detail, coupled with the public availability of sensitive data on forums, raises valid questions about the scope of compromise and whether customers with federated login configurations could be at risk.”

Meanwhile, I am not sure if Oracle communicated to their cloud customers at all.

Take Action:

First, if you are facing a situation like this. don’t be in a hurry to deny that a breach happened. It is always better to spend the time and energy to investigate reasonable claims before issuing a denial. You end up looking quite foolish if a breach is proved later on.
Add this to your scenarios of table top exercises for incident response: A threat actor claims to have hacked you and has released information about the hack on the dark web. You do not feel you were breached. Add an inject: The threat actor released 10k records
If you are a large service provider, work with your communications team to identify clear communication points. Work with your helpdesk to begin proactive communication to your customers - either telling them steps to take, or assuring that you have looked into it and there is nothing to worry.
Never Communicate - “There’s nothing to worry, but change your password”

It’s just personal Gmail for work - What could go wrong?

Except that this comes from a top ranking US government official

Photo by Brett Jordan on Unsplash

Every security professional has gone through this harrowing experience.

Senior leadership insists on using personal devices, personal gmails and other such stuff to work on corporate data. The IT helpdesk raises a ticket. It has an innocuous link that requires an approval from ‘security’, and that security professional is you.
It then falls on you to talk the gentleman from the leadership team out of it. You already know the arguments - “I travel a lot. I cannot carry 2 devices”. “It takes forever for me to login to the corporate account.” “The IT cannot seem to configure my shiny new iPad” - because they never thought of procuring an Apple MDM server for the two iPads among the 20k Windows machines.
Then, most of the times, there is reluctant acceptance, but you are led to believe that if the investors don’t like the sales numbers and the stock price falls, you will be blamed for causing all this trouble.

The only problem is that this is the US government we are talking about. A senior member of the US National Security Council was found using Gmail for work.

You would expect them to be a little more careful, but we live in a brave new world now. If Signal can be used for official communication, then this seems the logical next step.