Recent reports indicate a potential major security incident involving Oracle Cloud, detected on March 21, 2025. Researchers claim a threat actor is selling sensitive data, while Oracle firmly denies any breach.
Alleged Oracle Cloud Breach Analysis
On March 21, 2025, CloudSEK published a blog post claiming a significant data breach in Oracle Cloud, detected through their platform. They reported that a threat actor, identified as “rose87168,” is selling 6 million records exfiltrated from Oracle Cloud’s Single Sign-On (SSO) and Lightweight Directory Access Protocol (LDAP) systems. This data includes sensitive components such as Java KeyStore (JKS) files, encrypted SSO passwords, key files, and enterprise manager Java Platform Security (JPS) keys, potentially impacting over 140,000 tenants across multiple regions and industries.
Researchers verified the breach using their XVigil platform and cyber HUMINT, publishing a TLP Green report for public awareness and a TLP RED report sent to Oracle on the same day. They also released a free tool on a specially crafted website for organizations to check if their data was exposed.
Evidence Supporting the Breach
CloudSEK provided detailed evidence to support Oracle Cloud breach. The breach likely stemmed from an exploited vulnerability in Oracle Cloud’s login endpoint, specifically login.(region-name).oraclecloud.com, with evidence suggesting the use of CVE-2021-35587, a critical vulnerability in Oracle Access Manager (OpenSSO Agent) within Oracle Fusion Middleware, last updated in 2014, with a CVSS score of 9.8, allowing unauthenticated remote code execution. This is supported by Oracle.
Further evidence includes a 10,000-line sample shared by the threat actor on March 25, 2025, containing data from 1,500+ unique organizations, including personal emails and production access indicators (tenantIDs like {tenant}-dev, {tenant}-test, {tenant}). Researchers confirmed real customer domains (e.g., sbgtv.com, nexinfo.com) matching the threat actor’s list, with system logs indicating the compromised production SSO endpoint, login.us2.oraclecloud.com, was active approximately 30 days ago and taken down by Oracle a few weeks before the breach. An archived file uploaded by the threat actor at web.archive.org contains the attacker’s email, also adding credibility.
Multiple cybersecurity outlets have analyzed this incident, supporting the researchers’ findings. Oracle Cloud breach May Impact 140000 Enterprise Customers CSO Online reports the breach’s potential to endanger 140,000 enterprise customers, with the threat actor demanding ransom and marketing data on underground forums.
Oracle’s Response and Denial
Oracle has categorically denied the breach. Oracle’s statement, as of March 21, 2025, is: “There has been no breach of Oracle Cloud. The published credentials are not for the Oracle Cloud. No Oracle Cloud customers experienced a breach or lost any data.” This denial has created a significant controversy, with Oracle maintaining silence on further details.
An X/Twitter post mentions rose87168 claiming to use CVE-2021-35587 vulnerability to compromise login.us2.oraclecloud.com, with Oracle allegedly disconnecting the server, though current checks show the server is still accessible.
Impact and Remediation
The potential impacts of Oracle Cloud breach are common for this kind of incident, including mass data exposure, credential compromise if passwords are cracked, and supply chain risks due to exposed JKS and key files. Security researchers heavily recommend changing all SSO and LDAP credentials, enforcing multi-factor authentication (MFA), conducting forensic investigations, and monitoring dark web forums for leaked data discussions.
As of the time of writing, the situation remains unresolved, with no new updates beyond March 25, 2025, reports. Organizations are advised to use the researchers’ tool to check exposure and follow recommended security measures, while awaiting further official statements from Oracle and independent verifications.
