Customize Consent Preferences

We use cookies to help you navigate efficiently and perform certain functions. You will find detailed information about all cookies under each consent category below.

The cookies that are categorized as "Necessary" are stored on your browser as they are essential for enabling the basic functionalities of the site.... 

Always Active

Necessary cookies are required to enable the basic features of this site, such as providing secure log-in or adjusting your consent preferences. These cookies do not store any personally identifiable data.

Functional cookies help perform certain functionalities like sharing the content of the website on social media platforms, collecting feedback, and other third-party features.

Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics such as the number of visitors, bounce rate, traffic source, etc.

Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.

No cookies to display.

Advertisement cookies are used to provide visitors with customized advertisements based on the pages you visited previously and to analyze the effectiveness of the ad campaigns.

No cookies to display.

News Flash

Oracle under attack: the mystery of 6 million stolen records and a potential mega breach 

A hacker claims access to Oracle Cloud data: 140,000 tenants potentially exposed, but the company denies any compromise 

Oracle under attack

Table of contents

  • The shocking claim of hacker “rose87168” 
  • Oracle’s official response: “no breach occurred” 
  • CloudSEK and Kudelski investigate the breach 
  • The potential fallout: a serious risk to the cloud ecosystem 
  • What to do now: stay alert and protect your systems 

The shocking claim of hacker “rose87168” 

On March 21, 2025, a post on an underground forum caused a stir in the cyber security world. A user named rose87168 claimed to have breached the Oracle Cloud login endpoint (login.[region-name].oraclecloud.com), gaining access to JKS files, encrypted SSO passwords, LDAP hashes, and JPS keys

What’s more, the attacker allegedly put 6 million records up for sale, even offering incentives to anyone who could help decrypt the SSO passwords or crack the LDAP credentials.

The breach could affect more than 140,000 Oracle Cloud tenants, potentially making this one of the biggest supply-chain attacks of 2025—if verified. 

Oracle’s official response: “no breach occurred” 

Oracle quickly issued a firm denial. In an official statement shared with the media, the company said: 

“There has been no breach of Oracle Cloud. The credentials that were published do not belong to Oracle Cloud. No Oracle Cloud customer has experienced a data breach or data loss.” 

While Oracle’s message is clear, the company has not provided any technical details nor updated its official site with a public statement. Interestingly, however, the subdomain login.us2.oraclecloud.com, mentioned by the attacker, has been offline since March 21. Coincidence or containment? 

CloudSEK and Kudelski investigate the breach 

Adding more tension to the story are the investigations by CloudSEK, a threat intelligence firm.

Their analysts reviewed the leaked data and concluded that it likely originated from Oracle Cloud infrastructure. They suggest the breach could have exploited a zero-day vulnerability in Oracle WebLogic or Access Manager components used for login pages. The top suspect?

CVE-2021-35587, a critical flaw allowing unauthenticated attackers to take control of a vulnerable Oracle SSO system. 

Kudelski Security Research reached a similar conclusion in an independent advisory, confirming that an unpatched Oracle Fusion Middleware 11g platform might have been used to host the login service. 

The potential fallout: a serious risk to the cloud ecosystem 

If the data turned out to be authentic, the impact would be devastating. The exfiltration of sensitive credentials and cryptographic files opens up scenarios for unauthorized access, industrial espionage, and blockchain breaches. SSO passwords and LDAP hashes, if cracked, could compromise the entire IT ecosystem of many companies.

Given the federated nature of Oracle Cloud, used by thousands of organizations to manage access across enterprise systems, the impact could spread quickly. A breach in one tenant could expose others through integrated applications and systems. 

On Reddit, members of the r/blueteamsec community noted that the incident may have affected traditional OCI logins but not IDCS, and advised rotating credentials as a precaution. 

What to do now: stay alert and protect your systems 

While the truth is still unclear, security teams should take proactive steps: 

  • Closely monitor systems for suspicious activity 
  • Update passwords and enforce multi-factor authentication (MFA) 
  • Check if your credentials have been compromised using tools provided by CloudSEK 

In today’s rapidly evolving digital landscape, caution is never excessive. Whether this is a false alarm or the beginning of a real crisis, protecting cloud data must remain a top priority. 

To top