Cybersecurity firm CloudSEK has identified a major data breach involving Oracle Cloud. A threat actor, known as “rose87168,” claims to be selling around 6 million records stolen from Oracle Cloud’s Single Sign-On (SSO) and Lightweight Directory Access Protocol (LDAP) servers.
The compromised data includes Java KeyStore (JKS) files, encrypted SSO passwords, key files, and Enterprise Manager Java Platform Security (JPS) keys. These are now for sale Breach Forums and other dark web marketplaces.
According to CloudSEK, the breach, discovered on 21 March, is believed to have originated from an undisclosed vulnerability in the Oracle Cloud login endpoint (login.[region-name].oraclecloud.com), allowing unsanctioned access.
140,000 Affected Tenants
The malicious actor has been active since January this year and has been soliciting assistance to decrypt the SSO passwords and crack the LDAP passwords. Also, “rose87168” is demanding payments from over 140,000 affected tenants to take their data off the sale.
CloudSEK has assessed this threat with medium confidence and rates it as high in severity, indicating the potential for a significant impact on affected entities—it has also provided a tool for organizations to check if their data has been exposed in this breach.
The malefactor, active since January 2025, says it had compromised a subdomain login.us2.oraclecloud.com, which has since been taken down. This subdomain was found to be hosting Oracle Fusion Middleware 11G, as evidenced by a Wayback Machine capture from 17 February.
CloudSEK’s analysis indicates that the attacker may have compromised a vulnerable version of Oracle Cloud servers, potentially leveraging an older flaw, CVE-2021-35587, which affects Oracle Fusion Middleware (OpenSSO Agent).
As additional proof that they had access to Oracle Cloud servers, the threat actor shared a URL, revealing an Internet Archive URL that indicates they uploaded a .txt file containing their ProtonMail email address to the login.us2.oraclecloud.com server.
Outdated Software
This CVE, which was added to the CISA KEV catalogue in December 2022, enables unauthenticated actors to compromise Oracle Access Manager, which could lead to a total takeover. This is in line with the type of data exfiltrated and shared by the cybercriminal and, if exploited, could allow them to gain initial access to the environment and then move laterally within the Oracle Cloud environment to access other systems and data.
Closer scrutiny found that the Oracle Fusion Middleware server was last updated near the end of September in 2014.
Strong, Yet Implausible Denial
Oracle denies it was breached after the threat actor claimed to be selling the above-mentioned records that were allegedly stolen. However, cybersecurity expert Jake Williams posed an interesting question on LinkedIn: “Has Oracle explained to anyone how a threat actor got a text file with their email address in the webroot of an OCI login server? Because I feel like if you’re gonna deny an incident, that’s a REALLY important detail.”
Also, despite Oracle’s public denial of any breach, CloudSEK’s analysis suggests evidence to the contrary. The security company conducted a follow-up analysis to validate the claims, and says its investigation, using its Nexus platform and human intelligence, corroborated the authenticity of the data and promptly alerted the public and Oracle.
However, it’s important to note that while CloudSEK and the malicious actor have provided details about the alleged breach, Oracle’s firm denial creates a conflicting narrative. The situation is still developing, and the full extent and validity of the claims remain under investigation.
Raising More Questions Than Answers
Chad Cragle, CISO at Deepwatch, says Williams raises a critical point. “If there was no breach, how did a threat actor allegedly upload a file to the Oracle Cloud subdomain? This indicates unauthorized access, even if it wasn’t a full-scale compromise. Dismissing the incident without addressing this key detail raises more questions than answers. If Oracle wants to maintain credibility, they must clarify how the file ended up there, whether any security gaps were exploited, and why the subdomain was taken down.”
Irrespective of Oracle’s position, the presence of a threat actor-uploaded file in the webroot of what appears to be an Oracle Cloud Infrastructure (OCI) login subdomain is deeply concerning, says Heath Renfrow, CISO and Co-founder at Fenix24. “ This detail, coupled with the public availability of sensitive data on forums, raises valid questions about the scope of compromise and whether customers with federated login configurations could be at risk.”
“By compromising what appears to be a significant number of keys and credentials, the attackers can potentially gain unauthorized access to many more systems and data,” adds Rom Carmel, Co-Founder and CEO at Apono. “This incident raises important questions about whether access to the server containing such sensitive resources was properly restricted—not just who had access, but also when that access was permitted. It also calls into question whether the affected resources had adequate access controls in place to enforce least privilege and limit access to defined, secure time windows.
A Mindset Shift
As more resources move into the cloud, we need to shift our mindset for how we protect them without hindering productivity, Carmel says. “This means embracing intelligent access control methodologies and the agility that automation can provide us to not only make our organizations more secure and resilient but also enable the business to run faster.”
“This incident also highlights the importance of continuously monitoring third-party platforms, ensuring regular patching of middleware components, and validating federated identity infrastructure configurations. Supply chain and cloud identity are increasingly attractive attack surfaces, and it is vital that all organizations using shared cloud platforms apply a Zero Trust posture to identity and access management,” Renfrow adds.
“Those who were potentially impacted by Oracle Cloud should immediately assess their federated SSO configurations, rotate any potentially exposed credentials or keys, and monitor for indicators of compromise associated with the published artifacts,” he ends.
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.
