Table of contents
- The shocking claim of hacker “rose87168”
- Oracle’s official response: “no breach occurred”
- CloudSEK and Kudelski investigate the breach
- The potential fallout: a serious risk to the cloud ecosystem
- What to do now: stay alert and protect your systems
The shocking claim of hacker “rose87168”
On March 21, 2025, a post on an underground forum caused a stir in the cyber security world. A user named rose87168 claimed to have breached the Oracle Cloud login endpoint (login.[region-name].oraclecloud.com), gaining access to JKS files, encrypted SSO passwords, LDAP hashes, and JPS keys.
What’s more, the attacker allegedly put 6 million records up for sale, even offering incentives to anyone who could help decrypt the SSO passwords or crack the LDAP credentials.
The breach could affect more than 140,000 Oracle Cloud tenants, potentially making this one of the biggest supply-chain attacks of 2025—if verified.
Oracle’s official response: “no breach occurred”
Oracle quickly issued a firm denial. In an official statement shared with the media, the company said:
“There has been no breach of Oracle Cloud. The credentials that were published do not belong to Oracle Cloud. No Oracle Cloud customer has experienced a data breach or data loss.”
While Oracle’s message is clear, the company has not provided any technical details nor updated its official site with a public statement. Interestingly, however, the subdomain login.us2.oraclecloud.com, mentioned by the attacker, has been offline since March 21. Coincidence or containment?
CloudSEK and Kudelski investigate the breach
Adding more tension to the story are the investigations by CloudSEK, a threat intelligence firm.
Their analysts reviewed the leaked data and concluded that it likely originated from Oracle Cloud infrastructure. They suggest the breach could have exploited a zero-day vulnerability in Oracle WebLogic or Access Manager components used for login pages. The top suspect?
CVE-2021-35587, a critical flaw allowing unauthenticated attackers to take control of a vulnerable Oracle SSO system.
Kudelski Security Research reached a similar conclusion in an independent advisory, confirming that an unpatched Oracle Fusion Middleware 11g platform might have been used to host the login service.
The potential fallout: a serious risk to the cloud ecosystem
If the data turned out to be authentic, the impact would be devastating. The exfiltration of sensitive credentials and cryptographic files opens up scenarios for unauthorized access, industrial espionage, and blockchain breaches. SSO passwords and LDAP hashes, if cracked, could compromise the entire IT ecosystem of many companies.
Given the federated nature of Oracle Cloud, used by thousands of organizations to manage access across enterprise systems, the impact could spread quickly. A breach in one tenant could expose others through integrated applications and systems.
On Reddit, members of the r/blueteamsec community noted that the incident may have affected traditional OCI logins but not IDCS, and advised rotating credentials as a precaution.
What to do now: stay alert and protect your systems
While the truth is still unclear, security teams should take proactive steps:
- Closely monitor systems for suspicious activity
- Update passwords and enforce multi-factor authentication (MFA)
- Check if your credentials have been compromised using tools provided by CloudSEK
In today’s rapidly evolving digital landscape, caution is never excessive. Whether this is a false alarm or the beginning of a real crisis, protecting cloud data must remain a top priority.