In a detailed blog post, Google said that Oracle first reported the breach on Oct. 2 noting that hackers may have taken advantage of vulnerabilities that were patched in July.



The company urged clients to apply the latest critical patch updates immediately. Two days later, on Oct. 4, Oracle reinforced that guidance, issuing emergency patches and reiterating the need for customers to remain up to date with all security updates.



Google’s analysis suggests that the CL0P extortion campaign followed months of sustained intrusion into Oracle E-Business Suite (EBS) customer environments.



The hackers allegedly exploited a zero-day vulnerability, possibly CVE-2025-61882, as early as Aug. 9, weeks before a security patch was made available. Evidence of suspicious activity was also traced back to July 10, according to Google’s blog post.



In many instances, the attackers were able to exfiltrate significant volumes of sensitive information from affected organisations.



In a separate statement to Reuters, Google analyst Austin Larsen said, “We are aware of dozens of victims, but we expect there are many more. Based on the scale of previous CL0P campaigns, it is likely there are over a hundred.”



Google confirmed that the hackers had specifically targeted Oracle’s E-Business Suite, a widely used platform that supports business functions such as customer management, supply chain operations, manufacturing, and logistics.