​In a significant cybersecurity incident, Oracle Cloud has reportedly suffered a breach resulting in the exfiltration of approximately six million records, impacting over 140,000 tenants. The compromised data includes Java KeyStore (JKS) files, encrypted Single Sign-On (SSO) passwords, key files, and Enterprise Manager Java Platform Security (JPS) keys.

Details of the Breach

On March 21, 2025, threat intelligence firm CloudSEK identified a threat actor, known as "rose87168," offering for sale data purportedly extracted from Oracle Cloud's SSO and Lightweight Directory Access Protocol (LDAP) systems. The attacker claims to have exploited a vulnerability in the login endpoint (login.[region-name].oraclecloud.com), leading to unauthorized access and data exfiltration.

The compromised data encompasses sensitive authentication-related information, including:​

• Java KeyStore (JKS) files​

• Encrypted SSO passwords​

• Key files

• Enterprise Manager JPS keys​

The threat actor has been active since January 2025 and is seeking assistance in decrypting the SSO passwords while demanding payment from affected organizations for data removal.

Company's Response

Oracle has categorically denied any breach of its cloud infrastructure. A company spokesperson stated, "There has been no breach of Oracle Cloud. The published credentials are not for the Oracle Cloud. No Oracle Cloud customers experienced a breach or lost any data."

Investigation and Analysis

Despite Oracle's denial, several cybersecurity firms have presented evidence supporting the breach claims. CloudSEK's analysis suggests that the subdomain login.us2.oraclecloud.com was compromised, potentially due to an undisclosed vulnerability or misconfiguration in the OAuth2 authentication process.

Further investigation indicates that the compromised server was running Oracle Fusion Middleware 11G, last updated in September 2014. This outdated software may have been susceptible to CVE-2021-35587, a critical vulnerability in Oracle Access Manager that allows unauthenticated attackers to compromise the system via HTTP.

Impact on Oracle Cloud Tenants

The breach poses significant risks to affected organizations, including:​

• Mass Data Exposure: The exfiltration of six million records containing sensitive authentication data increases the risk of unauthorized access and corporate espionage.​

• Credential Compromise: If the encrypted SSO and LDAP passwords are decrypted, attackers could gain further unauthorized access to Oracle Cloud environments.​

• Extortion and Ransom Demands: The threat actor is coercing affected companies to pay for data removal, leading to potential financial and reputational damage.​

Recommendations for Affected Organizations

Organizations utilizing Oracle Cloud services should take immediate action to mitigate potential risks:

1. Reset Credentials: Immediately reset all SSO and LDAP passwords, especially for privileged accounts.

2. Monitor Systems: Implement enhanced monitoring to detect any unauthorized access or unusual activity.​

3. Apply Patches: Ensure that all systems are updated with the latest security patches to protect against known vulnerabilities.​

4. Incident Response: Develop and execute an incident response plan to address potential breaches and communicate with stakeholders.​

For a detailed analysis and further recommendations, refer to CloudSEK's comprehensive report on the incident.

This incident underscores the critical importance of robust cybersecurity measures and vigilant monitoring in safeguarding cloud infrastructure against evolving threats.

Disclaimer: ClearPhish maintains a strict policy of not participating in the theft, distribution, or handling of stolen data or files. The platform does not engage in exfiltration, downloading, hosting, or reposting any illegally obtained information. Any responsibility or legal inquiries regarding the data should be directed solely at the responsible cybercriminals or attackers, as ClearPhish is not involved in these activities. We encourage parties affected by any breach to seek resolution through legal channels directly with the attackers responsible for such incidents.