Oracle has suffered a data breach within its retail unit.
The cloud giant discovered malicious software on systems running its network of MICROS payment terminals, the company confirmed in an email to Fortune. In addition to affecting hundreds of the company’s computers, the breach affects an online support portal that allows Oracle to remotely address customers’ issues concerning their cash register-connected terminals, Brian Krebs, an independent cybersecurity journalist, first reported on his site Krebs on Security on Monday, citing people briefed on the matter.
The malware planted on Oracle’s systems enabled attackers to steal customers’ login credentials, Krebs noted. In response, Oracle said it is forcing users of the service to change their account passwords, adding that the breach does not affect its other corporate networks, cloud services, and systems.
Get Data Sheet, Fortune’s technology newsletter.
The MICROS system compromise could explain why so many shops, hotels, and retail outlets have been suffered breaches at their point of sale systems in the past months, said Avivah Litan, an analyst in Gartner (IT). Asked whether she believed that this breach has something to do with a recent spate of stolen payment card data in retail and hotel hacks, Litan told Fortune, “I think it’s very likely.”
“If they’re MICROS customers, this would 100% explain that,” she said on a call.
MICROS point-of-sale technology, which Oracle (ORCL) acquired for $5.3 billion in late 2014, is used by companies in hoteling: (Hyatt (H), Marriott (MAR), Hilton (HLT), food and beverages: (Yum (YUM), Starbucks (SBUX), Burger King (BKW), and retail: (Ikea (IKEA), BJ’s (BJ), Adidas (ADDYY).
According to a 2014 Oracle power point presentation, MICROS is used by 330,00 sites across 180 countries. That would make it one of the three largest providers of point of sale tech worldwide, alongside Verifone (PAY) and Ingenico (INGIY).
For more on Oracle, watch:
Krebs cited the Carbanak Gang, a group of cybercriminals that security experts have said stole more than $1 billion from financial firms and others in recent years, as a possible perpetrator of the attack. One of the group’s computer servers was found to be in contact with the malware, unnamed sources told him.
The size and scope of the break-in is still being investigated, and it remains unclear when the attackers first gained access to Oracle’s systems.” Sources close to the investigation say Oracle first considered the breach to be limited to a small number of computers and servers at the company’s retail division. That source said that soon after Oracle pushed new security tools to systems in the affected network investigators realized the intrusion impacted more than 700 infected systems.
Here is the note from Oracle concerning the breach, obtained by Fortune, in full:
Dear MICROS Customer,
Oracle Security has detected and addressed malicious code in certain legacy MICROS systems. Oracle’s Corporate network and Oracle’s other cloud and service offerings were not impacted by this code. Payment card data is encrypted both at rest and in transit in the MICROS hosted environment.
To prevent a recurrence, Oracle implemented additional security measures for the legacy MICROS systems. Consistent with standard security remediation protocols, Oracle is requiring MICROS customers to change the passwords for all MICROS accounts. Information for customers on how to change your passwords has been published on My Oracle Support (Doc ID 2165744.1). We also recommend that you change the password for any account that was used by a MICROS representative to access your on-premises systems.
Please refer to My Oracle Support (Doc ID 2165744.1) and the attached FAQs for additional information. You may also contact MICROS Support at http://www.oracle.com/us/corporate/acquisitions/micros/support/index.htm. We apologize for any inconvenience this may cause you.
The Oracle Hospitality & Retail Team