Let me preface this with this was a dormant account with no instances set up, and I put it into place maybe 4 or 5 years ago while getting into the Self Hosted space. I don't recall if I had MFA setup, but don't think I did as it was a test space. In fact, I forgot I even had it up until now.
So this weekend, we were out of town and I get this alert from Oracle Cloud saying that my account was locked with a password reset link/ This was set to an email I've had since 2004 and has been sold many many times on the dark web as evidenced by the amount of SPAM I get on it and as my monitoring services confirm. I figured it was a weak ploy at a fishing to get my credentials so I ignored it. Then about 3 or 4 or so minutes later, the account was unlocked with another email to confirm this. (Without my touching anything)
So, last night when I returned home, I went to Oracle ignoring the email links and used my browse's address bar. To no surprise of my own, I can't log in or reset my credentials. Somehow, the attackers were able to exploit their platform to intercept the password reset and change everything to their credentials.
It's no real loss on my end honestly, Oracle had an old canceled debit card number for re-occurring billing if I should have ever used their services anyway. It just bugs me that they allowed it to happen so easily. Having the lack of MFA, I'm sure didn't help the matter, but honestly, what gets me the most - their password reset email and the one saying it was unlocked with no links or contact information to correct the situation if this was incorrect. Further proof on my end that oracle doesn't care about anything other than the money grab.
tl:dr My lack of MFA enabled hackers to attack my formerly dormant and forgotten Oracle account, and locked me out and Oracle doesn't seem to mind.
The way I read this either their password reset infr is compromised, your email is compromised, or they did some social engineering w/ a support technician.