Oracle denies breach as hacker provides 6 million data on the market

Cloud Computing

Oracle denies breach as hacker provides 6 million data on the market

Tabon Batang

March 26, 2025

Oracle denies breach as hacker provides 6 million data on the market

A reported cyberattack concentrating on Oracle Cloud has raised issues about potential knowledge publicity throughout a variety of organisations.

On March 21, cybersecurity agency CloudSEK mentioned that 6 million data had been compromised, with over 140,000 Oracle Cloud tenants probably affected.

CloudSEK attributed the incident to a risk actor recognized as “rose87168,” who allegedly obtained the info via Oracle’s Single Signal-On (SSO) and Light-weight Listing Entry Protocol (LDAP) programs. The attacker has listed the data on the market on-line and is reportedly demanding cost from affected corporations for knowledge elimination.

Alleged scope and methodology of assault

In line with CloudSEK’s findings, the attacker used an undisclosed vulnerability in Oracle WebLogic Server to achieve entry to login endpoints throughout areas related to Oracle Cloud. The uncovered knowledge is claimed to incorporate Java KeyStore (JKS) information, encrypted passwords for SSO and LDAP programs, key information, and Enterprise Supervisor JPS keys.

The compromised endpoint is believed to be “login.(region-name).oraclecloud.com.” The attacker has additionally created a profile on X (previously Twitter), showing to observe accounts related to Oracle and affected companies, probably in an effort to strain victims.

CloudSEK has rated the risk as “Excessive” resulting from its reported scale and the sensitivity of the info concerned.

CloudSEK’s response and suggestions

The cybersecurity agency has really helpful that organisations utilizing Oracle Cloud take fast actions, resembling resetting credentials, launching forensic investigations, monitoring for leaked knowledge on the darkish net, and making use of stricter entry controls.

CloudSEK additional warned that if the encrypted credentials are efficiently deciphered, there could possibly be far-reaching penalties, like unauthorised entry, potential knowledge leaks, and dangers to linked programs throughout provide chains.

Oracle disputes claims of breach

Oracle has denied that its cloud programs had been compromised. In a press release to The Register, an organization spokesperson mentioned, “There was no breach of Oracle Cloud. The printed credentials are usually not for the Oracle Cloud. No Oracle Cloud clients skilled a breach or misplaced any knowledge.”

The corporate’s response adopted on-line exercise by the risk actor, who posted samples of what was claimed to be stolen Oracle Cloud knowledge on cybercrime boards, together with screenshots and a textual content file uploaded to one among Oracle’s login servers. The file contained an e mail deal with related to the vendor and was captured by the Web Archive’s Wayback Machine.

Whereas Oracle has not commented additional, investigations by third events, together with Bleeping Laptop, famous that one of many affected servers was reportedly working an older model of Oracle Fusion Middleware as lately as February 2025. Safety researchers have speculated that an unpatched essential vulnerability—CVE-2021-35587—might have been concerned, though this has not been confirmed.

Ongoing uncertainty round claims

The attacker, who seems to haven’t any recognized historical past previous to this incident, has additionally provided the alleged knowledge in trade for zero-day exploits or cryptocurrency. In discussion board posts, they claimed to have contacted Oracle a few month earlier with a request for over $200 million in cryptocurrency in return for particulars of the breach.

Additionally they sought help in decrypting the SSO and LDAP credentials, suggesting that the knowledge, whereas encrypted, is likely to be usable with the proper instruments or collaboration.

Along with the info, the attacker shared an inventory of domains linked with the affected corporations. They reportedly provided to take away worker data from particular organisations in trade for cost.

What’s recognized and what’s not

At this stage, the total scope and authenticity of the info publicity stay below scrutiny. Oracle maintains that its programs weren’t breached, whereas CloudSEK continues to warn of great dangers tied to the info being circulated. Whether or not this incident displays a verified intrusion or an overstated declare continues to be being evaluated by the broader cybersecurity group.

See additionally: Oracle’s $5bn UK cloud funding

Need to study extra about cybersecurity and the cloud from business leaders? Try Cyber Safety & Cloud Expo going down in Amsterdam, California, and London.

Discover different upcoming enterprise expertise occasions and webinars powered by TechForge right here.

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.