Cl0p releases data nabbed from Harvard thanks to Oracle exploit
Harvard University has scrambled to contain a data security breach after Cl0p, a notorious ransom gang, first threatened to leak information stolen from Harvard systems – and then did so.
-
Cl0p released Harvard's stolen data immediately, including financial records and source code, departing from their typical ransom-first approach.
-
Exposed source code from Harvard's internal tools creates new vulnerabilities that attackers could exploit for future breaches.
-
Since July, Cl0p has been exploiting a critical Oracle EBS zero-day vulnerability, compromising hundreds of organizations including Harvard University.
The cybercrime group Cl0p is now seemingly reaping the harvest after it successfully exploited a critical zero-day bug in Oracle’s E-Business Suite (EBS). Hundreds of companies and organizations – all Oracle clients – were allegedly compromised.
One of them is apparently Harvard University, which uses EBS for various administrative functions. Now, Cl0P, essentially a digital organized crime ring, has claimed it had stolen data from the prestigious school.
“Harvard should take this seriously”
Moreover, even though Cl0p’s standard operating procedure involves demanding a large ransom payment from its victims, threatening to publish their sensitive data if they refuse to pay, the gang has already published data stolen from Harvard.
According to Cybernews researchers, Cl0p has shared 1.4TB of data on its leak site. This data originates from Harvard’s servers hosted by Oracle.
The published data includes logs and reports from Harvard’s internal payment system as well as source code for various internal tools. Cybernews research team has analyzed the data and says it includes references that strongly suggest that it was indeed taken from OBS systems.
Cybernews has reached out to Harvard University for comment and will update the article once a reply is received.
Earlier, the Harvard University Information Technology (HUIT) spokesperson said in a statement that the university was “aware” of the reported data breach, but an initial investigation found it affected only “a limited number of parties associated with a small administrative unit.”
HUIT – essentially Harvard’s IT support unit – has applied a patch to address the vulnerability and reported “no evidence of compromise to other University systems.”
According to Cybernews’ research team, the affected unit seems to be Harvard Global, a Massachusetts-based nonprofit corporation providing financial, HR, and operational support for Harvard University's international activities so that scholars and students can focus on research and programs.
“While the leaked data may be limited to a small administrative unit within Harvard, the leaked data includes financial data and source code,” said Aras Nazarovas, Cybernews’ Senior Information Security Researcher.
“This means that Harvard should take this leak seriously and analyse the leaked data to identify the scope of the issue. We can expect the threat actors to try and further exploit vulnerabilities found in exposed source code.”
The Oracle exploit harvest
The breach at Harvard is, of course, not an isolated event. The incident is connected to a larger, global campaign carried out by Cl0p against the OBS systems.
Reports about compromised Oracle customers only appeared a couple of weeks ago, when Cl0p sent extortion emails to multiple companies, claiming that their sensitive data was stolen from the cloud company’s EBS systems after a critical zero-day bug was exploited.
Oracle first addressed vulnerabilities in its system in an early October statement, but quickly issued a second, now urgent patch days later.
It soon became clear that the gang began abusing this flaw as far back as July, with over 100 companies worldwide potentially targeted in the broad offensive.
According to the Google Threat Research Group (GTIG) and intelligence arm Mandiant, Cl0p was able to successfully chain together multiple distinct vulnerabilities – including the zero-day (CVE-2025-61882) – and gain unauthenticated Remote Code Execution (RCE) to the cloud company’s OBS, allowing the gang to steal hoards of customer data.
At the same time, Cl0p sent out emails to victim companies, informing them they had been breached and laying out their demands.
“Dearest Executive,” the email reads. “We have recently breached your Oracle E-Business Suite application and copied a lot of documents.”
“All the private files and other information are now held on our systems. But don't worry. You can always save your data for payment,“ Cl0p goes on, urging the victim to “protect your business reputation” and pay the “claimed sum.”
Unlock more exclusive Cybernews content on YouTube.
