Oracle EBS Extortion Campaign Claims $50M Demand

Google’s Threat Analysis Group and Mandiant warn of a high‑volume extortion email campaign that began on or around Sept. 29, 2025, in which attackers claim to have stolen sensitive data from Oracle E‑Business Suite (EBS) instances. The campaign used hundreds of compromised third‑party accounts and contact addresses matching listings on the Cl0p data‑leak site, and victims have been shown alleged proof of access such as screenshots and file listings. Investigators say attackers appear to have abused compromised emails and Oracle password‑reset/default processes for internet‑facing EBS portals, though some experts caution an underlying software flaw or copycat actors could also explain the activity. Cybersecurity firm Halcyon and others report ransom demands in the seven‑ and eight‑figure range, with at least one demand reportedly as high as $50 million. Google and Mandiant say investigations are ongoing and they have not yet substantiated that data were exfiltrated; Oracle and the alleged actors have not commented. Security responders are assisting affected organizations and advising firms running internet‑facing Oracle EBS to review exposed portals, reset credentials, and monitor for suspicious activity.