Leak at Oracle Cloud
In late March 2025, a threat actor known as 'rose87168' claimed to have stolen roughly 6 million authentication records from an Oracle Cloud SSO/LDAP endpoint, potentially affecting over 140,000 tenants; Oracle initially denied any breach before privately confirming a compromise to customers.
- Victim
- Oracle Cloud
- records
- 6.0M
On 27 March 2025, Oracle Cloud — Oracle's enterprise cloud platform — was at the center of a disputed breach disclosure after a threat actor using the alias rose87168 advertised roughly 6 million authentication records for sale, claiming to have stolen them from an Oracle Cloud federated single sign-on (SSO) server. The records reportedly originated from a compromised login endpoint (login.us2.oraclecloud.com) and exposed authentication material belonging to a large number of enterprise tenants.
The intrusion was traced to the exploitation of CVE-2021-35587, a critical unauthenticated remote takeover flaw in Oracle Access Manager. The affected subdomain was found to be running an outdated, unpatched build of Oracle Fusion Middleware 11G — a single weak component on Oracle's own SSO infrastructure that placed the connected tenants downstream at risk.
Exposed data categories reportedly included:
- Encrypted SSO and LDAP credentials
- Java KeyStore (JKS) files
- Enterprise Manager JPS (Java Platform Security) keys
- Tenant and authentication key material
CloudSEK, which first surfaced the listing, estimated more than 140,000 tenants could be affected. Oracle publicly denied any breach of Oracle Cloud, but multiple customers confirmed that sample data shared by the attacker was genuine, and Oracle subsequently acknowledged the compromise privately to affected customers in early April 2025. The exposed endpoint was taken offline, and the threat actor moved to extort affected organizations for data removal.
Sources
- lemondeinformatique.frhttps://www.lemondeinformatique.fr/actualites/lire-des-clients-confirment-la-fuite-de-donnees-oracle-cloud-96454.html
- cloudsek.comhttps://www.cloudsek.com/blog/the-biggest-supply-chain-hack-of-2025-6m-records-for-sale-exfiltrated-from-oracle-cloud-affecting-over-140k-tenants
- bleepingcomputer.comhttps://www.bleepingcomputer.com/news/security/oracle-customers-confirm-data-stolen-in-alleged-cloud-breach-is-valid/
- cybersecuritydive.comhttps://www.cybersecuritydive.com/news/researchers-oracle-cloud-breach/743447/