Article Details

Oracle hopes talk of cloud data theft dies off. CISA just resurrected it for Easter. Some in the infosec world definitely want to see Big Red crucified. CISA – the US government's Cybersecurity and Infrastructure Security Agency – has issued an alert for those who missed Oracle grudgingly admitting some customer data was stolen from the database giant's public cloud infrastructure. On Wednesday, the cyber-agency advised Oracle users to make sure, in light of that theft, they aren't embedding into software and cloud resources credentials that may have been pilfered from the IT titan's login servers by a pseudonymous miscreant. CISA also recommended resetting passwords for affected user accounts, monitoring authentication logs for unusual activity tied to privileged or service accounts, and enforcing phishing-resistant multi-factor authentication (MFA) wherever possible. The security breach at Oracle, previously reported by The Register, "presents potential risk to organizations and individuals, particularly where credential material may be exposed, reused across separate, unaffiliated systems, or embedded (ie, hardcoded into scripts, applications, infrastructure templates, or automation tools)," CISA wrote this week. "The compromise of credential material, including usernames, emails, passwords, authentication tokens, and encryption keys, can pose significant risk to enterprise environments." Oracle first denied it had been compromised, then quietly sent customers a letter playing down an intrusion into two "obsolete" login servers in its public cloud infrastructure that it forgot to patch, allowing a miscreant to make off with thousands of customers' encrypted passwords, key files, and other info. In its alert, CISA noted "the scope and impact remains unconfirmed." Oracle declined to comment when we asked it about the agency's note to the world. CISA also declined to comment further than what it wrote in its advisory. Certainly, some customers are not happy. Oracle is now facing a lawsuit in its home state of Texas, accusing it of failing to notify users in a timely manner about the security breach.