Hacker claims huge breach of Oracle Cloud, the company denies, later confirms

Oracle is currently facing allegations of a significant data breach which the company denies the claims. 

A threat actor operating under the alias "rose87168" has claimed to have stolen approximately 6 million records from Oracle Cloud's federated SSO login servers, specifically targeting servers in Amsterdam (EM2) and Chicago (US2).

The alleged attacker claims to have breached Oracle Cloud servers approximately 40 days ago, potentially exploiting an unpatched vulnerability. The threat actor specifically mentioned that Oracle Cloud servers were running a vulnerable version with a public CVE, though they did not specify which vulnerability or provide proof of concept.

Some security researchers, including CloudSEK, have speculated that the US2 server in Chicago may not have been patched for CVE-2021-35587 (CVSS score 9.8), a critical vulnerability in Oracle Access Manager within Oracle Fusion Middleware.

According to the threat actor, the stolen data allegedly includes:

• Encrypted SSO passwords
• Java Keystore (JKS) files
• Key files
• Enterprise Manager JPS keys
• LDAP information
• Data allegedly affecting 140,000 tenants

The attacker claims to have initially contacted Oracle with a demand for 100,000 XMR (Monero cryptocurrency), equivalent to over 200 million dollars. According to rose87168, Oracle refused to pay after asking for "all information needed for fix and patch." The attacker is now offering to sell the allegedly stolen data on the BreachForums hacking forum for an undisclosed price or in exchange for zero-day exploits.

Oracle has categorically denied these claims, stating: "There has been no breach of Oracle Cloud. The published credentials are not for the Oracle Cloud. No Oracle Cloud customers experienced a breach or lost any data."

To prove their claims, the threat actor shared a URL with BleepingComputer showing an Internet Archive entry that purportedly indicates they uploaded a .txt file containing their ProtonMail email address (rose87168@proton.me) to the login.us2.oraclecloud.com server. 

BleepingComputer has reportedly contacted various companies whose data was allegedly stolen to confirm the validity of the claims.

Despite Oracle's denial, security experts recommend that organizations using Oracle Cloud take precautionary measures:

1. Reset credentials as a preventive step
2. Check for any signs of compromise
3. Review and update security configurations
4. Avoid paying any ransoms to remove credentials from the alleged leak list (which is also illegal in the US)

The validity of this breach remains unconfirmed, with Oracle maintaining that no breach occurred. This situation follows similar patterns to other alleged attacks that have later proven to be false.

The number of individuals affected by this alleged incident beyond the claimed 140,000 tenants is not disclosed.

Update - According to CloudSEK's investigation, the threat actor gained access to a Single Sign-On (SSO) endpoint (login.us2.oraclecloud.com) and subsequently exfiltrated approximately 6 million records from over 140,000 tenants. The server was reportedly active approximately 30 days prior, aligning with the threat actor's claim that Oracle took down the targeted server weeks before the breach announcement.

CloudSEK presented several pieces of evidence to substantiate the breach claims:

1. Purpose of login.us2.oraclecloud.com - Found an archived GitHub repository uploaded by Oracle's official organization that references "login.us2.oraclecloud.com". The endpoint was used for OAuth2 authentication and token generation
2. Real Customer Domains Matched - Multiple public GitHub repositories contained hardcoded credentials pointing to login.us2.oraclecloud.com. Verified domains present in the threat actor's leaked list included sbgtv.com, nexinfo.com, cloudbasesolutions.com, nucor-jfe.com, and rapid4cloud.com
3. Production SSO Setup Confirmation - Documentation from OneLogin (an IAM solutions provider) and Rainfocus (an Oracle Cloud deployment partner) confirmed the endpoint was used in production environments.

On March 25, 2025, the threat actor shared a 10,000-line sample containing data from 1,500+ unique organizations, further supporting their claims. The sample included organizations with tenantIDs in formats suggesting access to production environments.

As of 26th of March, Multiple companies have verified the authenticity of leaked data to BleepingComputer, confirming that exposed LDAP display names, email addresses, and other identifying information belong to them.

As of 28th of March, cybersecurity providers are advising customers to rotate credentials for any Oracle Cloud accounts, and are already rotating their own Oracle Cloud account credentials.

As of 3rd of April 2025 According to Bloomberg, Oracle has acknowledged the security breach to customers. Initially, when the breach was first reported last month, Oracle denied any compromise of its Oracle Cloud federated SSO login servers or theft of account data. The company has now admitted to the incident and indicated that both the FBI and cybersecurity firm CrowdStrike are conducting investigations. Oracle also confirmed that the attacker demanded an extortion payment.

Oracle representatives told some clients that the compromised system had not been in use for eight years, suggesting that any stolen credentials would pose minimal risk. However, contradicting this claim, Bloomberg's unnamed source indicated that the stolen data included credentials from as recently as 2024. The types of exposed data appear to include:

• SSO (Single Sign-On) credentials
• LDAP authentication data
• Encrypted passwords
• Domain information for client organizations

The hacker released multiple text files containing database information, LDAP data, and a list of 140,621 domains for companies and government agencies allegedly impacted by the breach.