Oracle Cloud Data Breach | Customers Confirm Stolen Data is Valid Despite Oracle’s Denial – A Cybersecurity Analysis

Introduction

A significant cybersecurity incident has surfaced involving Oracle Cloud, where a hacker allegedly breached the company’s federated SSO login servers and stole authentication data of approximately 6 million users. While Oracle has officially denied any security breach, multiple organizations have confirmed the validity of the stolen data.

This incident raises serious concerns about cloud security, enterprise vulnerability management, and the implications of unpatched software running on critical infrastructure. In this blog, we will explore the details of the alleged breach, the hacker’s claims, the evidence supporting the attack, Oracle’s response, and the broader implications for cloud security.

The Alleged Oracle Cloud Breach: What Happened?

Hacker’s Claims

On March 26, 2025, a threat actor known as ‘rose87168’ surfaced on a hacking forum, claiming to have breached Oracle Cloud’s federated SSO (Single Sign-On) login servers. According to the hacker, they managed to obtain:

• Encrypted SSO and LDAP passwords

• A database containing authentication records

• A list of 140,621 domains linked to various enterprises and government agencies

The hacker also claimed that the LDAP passwords could be decrypted, making the data particularly dangerous if used for further attacks.

Evidence Supporting the Breach

1. Hacker-Proven Access to Oracle’s Infrastructure

To back up their claims, the hacker provided an Archive.org URL that linked to a text file hosted on Oracle’s own login servers (login.us2.oraclecloud.com). The fact that this file was hosted directly on Oracle’s infrastructure suggests that the attacker may have had write access to the system.

2. Leaked Data Samples Verified by Companies

Multiple organizations that received the leaked data samples confirmed to cybersecurity researchers that the information was legitimate. These companies verified that:

• The LDAP usernames, email addresses, and given names were accurate.

• The information matched their employee records, confirming that these were real credentials.

3. Cloud Security Firm Confirms Oracle Was Running a Vulnerable Version

Cybersecurity firm CloudSek discovered that the Oracle login server was running an outdated version of Oracle Fusion Middleware 11g. This version was known to contain a critical vulnerability (CVE-2021-35587), which allowed unauthenticated attackers to gain access to the system.

4. The Threat Actor Claimed They Contacted Oracle

The hacker claimed that they had reached out to Oracle's security team via email, informing them about the breach. They allegedly received a response from an individual using a ProtonMail address (@proton.me), which raised suspicions about whether Oracle was handling the situation properly.

Oracle’s Official Response

Denial of the Breach

Oracle responded to inquiries about the attack with an official statement:

"There has been no breach of Oracle Cloud. The published credentials are not for the Oracle Cloud. No Oracle Cloud customers experienced a breach or lost any data."

Despite Oracle's denial, the fact that multiple companies have confirmed the authenticity of the leaked data suggests that either Oracle is unaware of the full extent of the breach, or they are attempting to contain reputational damage.

Oracle Takes Down the Affected Server

After the breach was reported, Oracle removed access to the compromised login.us2.oraclecloud.com server. This action indirectly suggests that Oracle was aware of a security issue, even though they denied any data loss.

Possible Attack Method: Exploiting CVE-2021-35587

What is CVE-2021-35587?

• A critical vulnerability in Oracle Fusion Middleware 11g

• Allows unauthenticated remote attackers to gain complete control over affected systems

• Can be used for privilege escalation, credential theft, and lateral movement across networks

Given that Oracle’s login server was running this vulnerable version, it is highly likely that the hacker exploited this flaw to gain access.

Potential Impact of the Oracle Cloud Breach

1. Risk to Oracle Customers

If the stolen SSO and LDAP credentials fall into the wrong hands, attackers could:

• Compromise enterprise networks

• Bypass multi-factor authentication (MFA) if not properly configured

• Launch targeted phishing and credential-stuffing attacks

2. Damage to Oracle’s Reputation

Oracle’s response has raised serious concerns about transparency in cloud security. If further proof of the breach emerges, Oracle could:

• Lose customer trust

• Face legal consequences for failing to disclose the incident

• Be investigated for compliance violations

3. Increased Cybersecurity Threats

This incident highlights the growing threats to cloud security and the risks of running outdated software. Organizations relying on Oracle Cloud must reassess their security policies and ensure that they are protected against similar threats.

How Organizations Can Protect Themselves

1. Implement Strong Access Controls

• Enable Multi-Factor Authentication (MFA) to prevent unauthorized logins.

• Use role-based access controls (RBAC) to restrict sensitive data access.

2. Patch Vulnerabilities Immediately

• Regularly update cloud software to fix known security flaws like CVE-2021-35587.

• Conduct continuous vulnerability assessments.

3. Monitor Cloud Logs for Anomalies

• Set up alerts for unusual login activity.

• Track suspicious IP addresses attempting to access Oracle Cloud accounts.

4. Conduct Regular Security Audits

• Perform penetration testing on cloud infrastructure.

• Review LDAP and SSO configurations for security weaknesses.

5. Strengthen Incident Response Plans

• Develop a breach response strategy in case of compromised credentials.

• Train employees to recognize phishing attempts related to leaked data.

Lessons Learned from the Oracle Cloud Breach

1. Cloud Providers Must Prioritize Security

• Cloud services must proactively patch vulnerabilities rather than waiting for an attack.

• Customers should demand transparency from providers like Oracle.

2. No System is Completely Secure

• Even large enterprises like Oracle are susceptible to unauthenticated attacks.

• Organizations should never rely solely on cloud providers for security.

3. Transparency is Key in Cybersecurity Incidents

• Companies that experience a breach must be upfront about what happened.

• Oracle’s denial of the breach, despite evidence, could harm customer trust.

Conclusion

The alleged Oracle Cloud breach serves as a wake-up call for enterprises relying on cloud-based authentication services. Although Oracle denied any security incident, multiple companies have verified that the leaked LDAP and SSO credentials were authentic.

This situation underscores the importance of regular security updates, proactive vulnerability management, and strong authentication practices to safeguard enterprise cloud environments. While Oracle has taken steps to remove the affected login server, the lack of transparency about the breach raises serious concerns about cloud security practices.

Organizations must take immediate action to review their security settings, enforce strict authentication controls, and stay vigilant against emerging cyber threats. This incident will likely continue to develop, with security researchers closely monitoring Oracle’s response and any additional data leaks in the coming weeks.

FAQs

What is the alleged Oracle Cloud data breach?

The alleged breach involves a hacker claiming to have stolen authentication data of 6 million users from Oracle Cloud’s federated SSO login servers.

Who is the hacker behind the Oracle breach?

A threat actor using the alias ‘rose87168’ claimed responsibility for the breach and began selling stolen authentication data on hacking forums.

What type of data was allegedly stolen?

The hacker claims to have obtained SSO and LDAP credentials, authentication logs, and a list of 140,621 affected domains.

Has Oracle confirmed the breach?

No, Oracle denies any breach, stating that no Oracle Cloud customers lost data. However, multiple organizations have confirmed that leaked credentials are legitimate.

How did the hacker allegedly access Oracle Cloud’s systems?

The hacker claims to have exploited CVE-2021-35587, a vulnerability in Oracle Fusion Middleware 11g, which allows attackers to bypass authentication controls.

What is CVE-2021-35587?

It is a critical vulnerability in Oracle Access Manager that allows unauthenticated remote attackers to gain control over affected systems.

Is Oracle Fusion Middleware 11g still used?

Yes, some Oracle Cloud servers were reportedly running outdated versions, including the vulnerable Oracle Fusion Middleware 11g.

What evidence supports the hacker’s claims?

The hacker provided a text file hosted on Oracle’s own servers and leaked data samples that companies confirmed were valid credentials.

What type of organizations were impacted?

The stolen credentials allegedly belong to both corporate enterprises and government agencies, according to leaked domain lists.

How did companies verify the leaked data?

Affected organizations confirmed that LDAP display names, email addresses, and authentication details matched their employee records.

Why is Oracle denying the breach?

Oracle may be trying to mitigate reputational damage or may not yet be fully aware of the extent of the breach.

Has Oracle taken any security measures after the incident?

Oracle removed the compromised login server, but has not publicly acknowledged any security fixes.

What risks do stolen LDAP and SSO credentials pose?

Compromised credentials could allow hackers to access corporate networks, bypass authentication, and launch phishing attacks.

How can organizations protect themselves from similar breaches?

• Enable Multi-Factor Authentication (MFA)

• Regularly update and patch vulnerabilities

• Monitor authentication logs for unusual activity

• Use zero-trust security models

Is Oracle responsible for securing customer authentication data?

Yes, as a cloud service provider, Oracle must ensure secure authentication mechanisms and prompt security patches.

Can affected users reset their credentials?

Organizations using Oracle Cloud should reset passwords, revoke compromised credentials, and enable MFA immediately.

Could this breach lead to regulatory action against Oracle?

If Oracle is found to have mishandled customer data security, it could face compliance investigations and potential penalties.

How does this breach compare to past cloud security incidents?

This breach is similar to high-profile data leaks where cloud misconfigurations and unpatched software vulnerabilities led to mass credential theft.

Are enterprise cloud services inherently insecure?

No, but cloud misconfigurations, outdated software, and weak authentication mechanisms increase the risk of breaches.

How can businesses detect if their Oracle Cloud accounts were affected?

Businesses should check for unauthorized login attempts, unknown SSO sessions, and compromised email addresses.

What steps should affected companies take now?

• Reset all Oracle Cloud authentication credentials

• Perform a forensic investigation

• Implement security monitoring for suspicious activity

What can hackers do with the stolen LDAP credentials?

They could impersonate users, gain unauthorized network access, and move laterally across enterprise systems.

Has any ransom demand been made regarding the stolen data?

As of now, the hacker has offered to sell the stolen credentials, but no ransom demands have been publicly reported.

Could stolen credentials be used for future cyberattacks?

Yes, threat actors could use them for phishing campaigns, brute-force attacks, or social engineering scams.

Is Oracle cooperating with cybersecurity investigators?

Oracle has not publicly disclosed details about its investigation, and reports suggest limited cooperation with security researchers.

What are the long-term consequences of this breach?

Organizations may need to reevaluate their cloud security strategies, and Oracle’s reputation as a cloud provider could suffer.

How should enterprises secure their SSO login systems?

• Use strong authentication protocols

• Implement strict access control policies

• Monitor for unauthorized access attempts

Can Oracle Cloud users switch to other authentication providers?

Yes, businesses can use third-party identity providers or migrate to alternative cloud authentication solutions.

How does this breach affect Oracle Cloud's market position?

Oracle’s credibility in the cloud security market may be affected, especially if more evidence of the breach emerges.

Will Oracle release an official security advisory?

While Oracle has denied the breach, it may issue a security update if further evidence surfaces.