Oracle Cloud Data Breach Claim: 6 Million Records Exposed
A cybersecurity alert has emerged after a hacker claimed to have stolen nearly 6 million records from Oracle Cloud, allegedly affecting more than 140,000 tenant organizations. The breach, if confirmed, would represent a major data exposure, raising concerns over cloud security and enterprise data protection.
The threat actor, using the alias “rose87168,” posted details of the breach on a dark web forum, stating that Oracle Cloud’s Single Sign-On (SSO) and Lightweight Directory Access Protocol (LDAP) systems were compromised.
Sensitive Data Allegedly Leaked
The stolen data reportedly includes Java KeyStore (JKS) files, encrypted SSO passwords, hashed LDAP credentials, and Enterprise Manager JPS keys. These components are critical for securing enterprise authentication systems and managing application access. According to the hacker, SSO passwords could potentially be decrypted to gain unauthorized access to connected applications and services.
The attacker has also offered rewards to individuals who can assist in decrypting the credentials and is allegedly pressuring affected organizations to pay to have their data removed from the exposed list. This has raised the stakes, adding an extortion dimension to the incident.
Oracle Denies Breach
In response to these claims, Oracle has firmly denied any breach of its cloud systems, stating that the credentials in question are unrelated to Oracle Cloud and that no customer data has been compromised. The company’s official position is that its cloud infrastructure remains secure, though the situation continues to be monitored closely.
Possible Exploit Path Identified
Experts analyzing the breach have linked the incident to a known vulnerability, CVE-2021-35587, in Oracle Fusion Middleware. The outdated system, reportedly last updated in 2014, may have been exploited through an unauthenticated access vector. The affected subdomain in question was allegedly running Oracle Fusion Middleware 11G, which is susceptible to remote attacks.
Impact and Risk for Organizations
If the claims are accurate, the breach poses a serious threat to organizations relying on Oracle Cloud for enterprise operations. Exposed SSO and LDAP credentials could be used for further exploitation, data theft, or unauthorized access to sensitive systems. The added layer of extortion from the hacker elevates the risk for financial and reputational damage.
Security Measures Recommended
Organizations are advised to take precautionary steps:
-
Reset all SSO and LDAP passwords, particularly those with administrative access.
-
Enable multi-factor authentication (MFA) across user accounts.
-
Conduct a full security audit of Oracle Cloud services in use.
-
Increase monitoring for suspicious login attempts and access patterns.
While Oracle has denied any compromise, the serious nature of the claims demands vigilance. Organizations must stay alert, act preemptively, and prioritize cybersecurity hygiene to safeguard against potential fallout.
