discuss Oracle customers confirm data stolen in alleged cloud breach is valid

[Cpvr]

Despite Oracle denying a breach of its Oracle Cloud federated SSO login servers and the theft of account data for 6 million people, BleepingComputer has confirmed with multiple companies that associated data samples shared by the threat actor are valid.

Last week, a person named ‘rose87168’ claimed to have breached Oracle Cloud servers and began selling the alleged authentication data and encrypted passwords of 6 million users. The threat actor also said that stolen SSO and LDAP passwords could be decrypted using the info in the stolen files and offered to share some of the data with anyone who could help recover them.

The threat actor released multiple text files consisting of a database, LDAP data, and a list of 140,621 domains for companies and government agencies that were allegedly impacted by the breach. It should be noted that some of the company domains look like tests, and there are multiple domains per company.

Threat actor selling allegedly stolen Oracle Cloud data
Source: BleepingComputer
In addition to the data, rose87168 shared an Archive.org URL with BleepingComputer for a text file hosted on the "login.us2.oraclecloud.com" server that contained their email address. This file indicates that the threat actor could create files on Oracle's server, indicating an actual breach.

However, Oracle has denied that it suffered a breach of Oracle Cloud and has refused to respond to any further questions about the incident.

"There has been no breach of Oracle Cloud. The published credentials are not for the Oracle Cloud. No Oracle Cloud customers experienced a breach or lost any data," the company told BleepingComputer last Friday.

This denial, however, contradicts findings from BleepingComputer, which received additional samples of the leaked data from the threat actor and contacted the associated companies.




Representatives from these companies, all who agreed to confirm the data under the promise of anonymity, confirmed the authenticity of the information. The companies stated that the associated LDAP display names, email addresses, given names, and other identifying information were all correct and belonged to them.

The threat actor also shared emails with BleepingComputer, claiming to be part of an exchange between them and Oracle.

One email shows the threat actor contacting Oracle's security email (secalert_us@oracle.com) to report that they hacked the servers.

"I've dug into your cloud dashboard infrastructure and found a massive vulnerability that has handed me full access to info on 6 million users," reads the email seen by BleepingComputer.

Another email thread shared with BleepingComputer shows an exchange between the threat actor and someone using a ProtonMail email address who claims to be from Oracle. BleepingComputer has redacted the email address of this other person as we could not verify their identity or the veracity of the email thread.

In this email exchange, the threat actor says someone from Oracle using a @proton.me email address told them that "We received your emails. Let’s use this email for all communications from now on. Let me know when you get this."

Cybersecurity firm Cloudsek has also found an Archive.org URL showing that the "login.us2.oraclecloud.com" server was running Oracle Fusion Middleware 11g as of February 17, 2025. Oracle has since taken this server offline after news of the alleged breach was reported.

This version of the software was impacted by a vulnerability tracked as CVE-2021-35587 that allowed unauthenticated attackers to compromise Oracle Access Manager. The threat actor claimed that this vulnerability was used in the alleged breach of Oracle's servers.

BleepingComputer has emailed Oracle numerous times about this information but has not received any response.

Source: https://www.bleepingcomputer.com/ne...data-stolen-in-alleged-cloud-breach-is-valid/

 

[ActionAce]

It is high time Oracles accept that they have already failed. It is not right to deny that there was no data breach when numerous customers came out openly to say that their data had been stolen. Are they lying to us and why would they do that?

 

[Cpvr]

Oracle Finally Admits to Data Breach, FBI Investigating​

Oracle has confirmed a significant data breach involving the theft of legacy client login credentials, marking its second acknowledged security incident in recent weeks.

After previously denying that any compromise had occurred within its cloud infrastructure, the company is now reportedly informing select customers of an intrusion that impacted outdated systems—some of which reportedly contained data as recent as 2024.

The breach was first brought to public attention in March 2025, when a threat actor using the alias “rose87168” began selling what they claimed were six million Oracle customer records on BreachForums. Initially, Oracle dismissed the claims via a statement to BleepingComputer, asserting that its Oracle Cloud systems remained uncompromised. However, multiple cybersecurity firms, including Trustwave and CybelAngel, have since validated the authenticity of the leaked data, which includes usernames, encrypted Single Sign-On (SSO) and LDAP credentials, Java Keystore (JKS) files, and enterprise manager JPS keys.

According to individuals briefed on Oracle's internal investigation, the attack targeted a so-called “legacy environment” not used in active services. Despite Oracle's statements that the compromised system was decommissioned eight years ago, a separate source familiar with the breach indicated that some stolen credentials were dated as recently as 2024. This discrepancy raises questions about Oracle's handling of legacy data retention and internal system segmentation.

The attack appears to have originated from a vulnerability in Oracle's Gen 1 cloud infrastructure. A webshell and malware were reportedly deployed to access Oracle's Identity Management (IDM) database, allowing the attacker to exfiltrate sensitive authentication data. CybelAngel reports that the breach likely began in January 2025 via exploitation of a known Java vulnerability, and that Oracle became aware of suspicious activity in February, shortly before the first ransom demand in early March.

Oracle Corporation, a global leader in enterprise software and cloud computing, serves thousands of customers across sectors, including finance, government, and healthcare. The firm is headquartered in Austin, Texas, and operates one of the largest cloud infrastructure platforms in the world. Its legacy Gen 1 servers, which were superseded by Gen 2 architecture, reportedly lacked many of the security hardening measures present in modern deployments.

The attacker, “rose87168,” surfaced publicly on March 5, 2025, and has since demanded a ransom of $20 million. The threat actor has also shown a willingness to barter stolen data in exchange for zero-day exploits — suggesting motivations beyond simple financial extortion. Samples of the data shared online included proof of access to Oracle Cloud subdomains, though Oracle continues to insist there was no breach of the Gen 2 cloud systems.

Threat actor's post on BreachForums
CybelAngel
The FBI and CrowdStrike are currently investigating the intrusion. While Oracle has not publicly commented beyond customer communications, internal notifications have acknowledged that the exposed data — although partially outdated — could facilitate phishing campaigns or account takeover attempts.

This incident follows a separate, unrelated breach involving Oracle's patient records management software, which came to light in late March. In that case, threat actors accessed patient data held by healthcare providers and attempted to extort them individually.

Source: https://cyberinsider.com/oracle-finally-admits-to-data-breach-fbi-investigating/