FlagThis

On March 20, 2025, a user on the Breach Forums, identified as "rose87168," claimed to have stolen six million records from Oracle Cloud's Single Sign-On (SSO) and Lightweight Directory Access Protocol (LDAP) services. The user offered the data for sale or in exchange for zero-day exploits. The compromised database allegedly contains sensitive information, including Java KeyStore (JKS) files, encrypted SSO and LDAP passwords, key files, and Enterprise Manager Java Platform Security (JPS) keys. This could impact over 140,000 tenants, potentially creating a significant supply chain compromise.

Oracle has denied any breach of its cloud infrastructure. According to Oracle a spokesperson stated, "There has been no breach of Oracle Cloud...The published credentials are not for the Oracle Cloud. No Oracle Cloud customers experienced a breach or lost any data." However, the attacker claimed to have planted evidence on Oracle's login server, specifically login.us2.oraclecloud.com, creating a text file captured by the Internet Archive's Wayback Machine as proof of access. Cybersecurity firm CloudSEK suggests that the US2 server might not have been patched against CVE-2021-35587, a known vulnerability in Oracle Access Manager within Fusion Middleware.

ImgSrc: cdn.mos.cms.fut

References :

• hackread.com: Oracle Denies Breach Amid Hacker’s Claim of Access to 6 Million Records
• BleepingComputer: The threat actor who claimed to breach Oracle Cloud shared the following URL as proof of the breach showing what appears to be a file containing their email address uploaded to Oracle's servers
• The DefendOps Diaries: Oracle Cloud Breach Allegations: Hacker Claims vs. Oracle's Denial
• www.bleepingcomputer.com: Oracle denies it was breached after a threat actor claimed to be selling 6 million data records allegedly stolen from the company's Oracle Cloud federated SSO login servers
• research.kudelskisecurity.com: Oracle Cloud SSO, LDAP Records Dumped, 140k+ Tenants Affected
• The Register - Software: Oracle Cloud says it's not true someone broke into its login servers and stole data
• BrianKrebs: CloudSEK’s XVigil discovered a threat actor, selling 6M records exfiltrated from SSO and LDAP of Oracle Cloud
• www.cybersecurity-insiders.com: Oracle Cloud denies data breach claims of 6 million data files leak
• Patrick C Miller :donor:: Oracle denies breach after hacker claims theft of 6 million data records
• www.csoonline.com: Oracle Cloud breach may impact 140,000 enterprise customers
• www.it-daily.net: 6 million data records: Oracle was allegedly hacked
• eSecurity Planet: Oracle Cloud breach exposed 6M records from 140k+ tenants. Learn how attackers exploited vulnerabilities and steps organizations must take to secure data. The post appeared first on
• www.techradar.com: Oracle denies data breach after hacker claims to hold six million records
• securityonline.info: BreachForums Claims: Millions of Oracle Cloud Records Stolen
• Arctic Wolf: On March 20, 2025, a Breach Forums user, “rose87168,†claimed to have stolen six million records from Oracle Cloud’s SSO and LDAP services and offered the data for sale or in exchange for zero-day exploits.
• Information Security Buzz: Cybersecurity Firm Uncovers Major Oracle Cloud Breach—Oracle Denies It
• Arctic Wolf: Alleged Oracle Cloud Supply Chain Attack: Six Million Records Stolen, 140K Companies Affected
• www.cybersecuritydive.com: Researchers back claim of Oracle Cloud breach despite company’s denials
• www.scworld.com: A Breach Forums user claimed to have stolen six million records from Oracle Cloud's SSO and LDAP services and offered the data for sale.
• www.scworld.com: Details of the alleged Oracle Cloud breach.
• The DefendOps Diaries: Oracle Cloud Breach Allegations: Unraveling the Controversy
• www.itpro.com: Oracle breach claims spark war of words with security researchers
• SpiderLabs Blog: Trustwave SpiderLabs Threat Review: Alleged Oracle Compromise
• The Register - Security: There are perhaps 10,000 reasons to doubt Oracle Cloud's security breach denial
• Lobsters: Despite Oracle denying a breach of its Oracle Cloud federated SSO login servers and the theft of account data for 6 million people, BleepingComputer has confirmed with multiple companies that associated data samples shared by the threat actor are valid.
• : A threat actor, known as “rose87168,â€� claimed to have stolen six million records from Oracle Cloud’s SSO and LDAP services and offered the data for sale or in exchange for zero-day exploits.
• Rescana: The Oracle Cloud breach resulted in the unauthorized access and alleged theft of 6 million records from Oracle's SSO and LDAP services,...
• DataBreaches.Net: Oracle continues to deny it had any breach, but customers and researchers are claiming otherwise.
• SpiderLabs Blog: On March 20, a relatively unknown user on Breach Forums posted the allegation that Oracle had suffered a data breach. According to   , the attacker claimed that 6 million customer records were exfiltrated from Oracle's SSO and LDAP systems.
• GreyNoise: Alleged Oracle Cloud Supply Chain Attack: Six Million Records Stolen, 140K Companies Affected
• www.cybersecuritydive.com: Researchers from CloudSEK are analyzing a data sample from a threat actor that claimed a massive breach involving 6 million records.
• SecureWorld News: In what may become one of the most scrutinized cloud security incidents of 2025, Oracle has come under fire following claims by a threat actor alleging the exfiltration of more than six million records from Oracle Cloud Infrastructure (OCI), impacting more than 140,000 tenants.

Classification:

• HashTags: #OracleCloud #DataBreach #SupplyChain
• Company: CloudSEK
• Target: Oracle Cloud Customers
• Product: Oracle Cloud
• Feature: Data Theft
• Type: DataBreach
• Severity: Major