A report was shared by CloudSEK stating that a data breach had occurred on Oracle Cloud; however, Oracle has strongly denied these allegations, asserting that its cloud infrastructure remains secure and there is no evidence of unauthorized access or data leakage. An Oracle statement mentioned, "There has been no breach of Oracle Cloud. The published credentials are not for the Oracle Cloud. No Oracle Cloud customers experienced a breach or lost any data."
According to CloudSEK's report, it revealed a monumental cyberattack targeting Oracle Cloud, potentially marking it as the biggest supply chain hack of 2025. Discovered by CloudSEK’s XVigil platform on March 21, 2025, a threat actor known as “rose87168” is allegedly selling 6 million records extracted from Oracle Cloud’s Single Sign-On (SSO) and Lightweight Directory Access Protocol (LDAP) systems, impacting over 140,000 tenants across multiple regions and industries.
The breach was traced to the login endpoint login.(region-name).oraclecloud.com, involves a dataset containing Java KeyStore (JKS) files, encrypted SSO passwords, key files, and Enterprise Manager JPS keys. The threat actor, active since January 2025, is not only peddling this sensitive information but also soliciting help to decrypt the stolen credentials while pressuring affected companies to pay a “fee” for data removal.
CloudSEK’s investigation points with medium confidence that the threat actor used an undisclosed vulnerability in Oracle Weblogic Server to exploit login endpoints for all regions pertaining to oraclecloud.com. Despite the actor’s lack of prior history, their advanced techniques suggest a high level of sophistication. CloudSEK has assessed this threat with medium confidence and assigned it a “High” severity rating due to its scale and potential for widespread damage.
The exposure of 6 million records threatens organizations with mass data leaks, unauthorized access, and corporate espionage. If the encrypted SSO and LDAP passwords are cracked, attackers could infiltrate Oracle Cloud environments further, amplifying the risk. The breach also introduces supply chain vulnerabilities, as compromised JKS and key files could allow attackers to pivot to interconnected systems.
For businesses, the stakes are personal: extortion demands from “rose87168” are putting financial and reputational pressure on over 140,000 affected tenants. The actor has even created an X page to amplify their reach, following Oracle-related accounts to taunt or track their targets.
CloudSEK’s research team has outlined critical steps to mitigate the fallout:
Credential Reset: Organizations must immediately rotate all SSO, LDAP, and related credentials, bolstering defenses with multi-factor authentication (MFA) and strong password policies.
Investigate and Respond: Launch forensic probes to uncover any unauthorized access and halt further exploitation.
Monitor the Dark Web: Keep a close watch on forums and marketplaces for chatter about the leaked data.
Collaborate with Oracle: Notify Oracle’s security team to investigate the suspected supply chain attack and secure fixes.
Lock Down Access: Enforce strict access controls, least privilege principles, and enhanced logging to catch suspicious activity early.
CloudSEK is working in collaboration with CERTs and shared its findings with them. CloudSEK has asked organizations leveraging Oracle Cloud are urged to take immediate action to assess and mitigate their exposure.
𝐒𝐭𝐚𝐲 𝐢𝐧𝐟𝐨𝐫𝐦𝐞𝐝 𝐰𝐢𝐭𝐡 𝐨𝐮𝐫 𝐥𝐚𝐭𝐞𝐬𝐭 𝐮𝐩𝐝𝐚𝐭𝐞𝐬 𝐛𝐲 𝐣𝐨𝐢𝐧𝐢𝐧𝐠 𝐭𝐡𝐞 WhatsApp Channel now! 👈📲
𝑭𝒐𝒍𝒍𝒐𝒘 𝑶𝒖𝒓 𝑺𝒐𝒄𝒊𝒂𝒍 𝑴𝒆𝒅𝒊𝒂 𝑷𝒂𝒈𝒆𝐬 👉 Facebook, LinkedIn, Twitter, Instagram
