Despite Oracle’s firm stance denying any breach on its federated SSO login servers or theft of account data for 6 million individuals, investigative reports from BleepingComputer have revealed the authenticity of the data. Multiple companies confirmed the legitimacy of data samples shared by the threat actor.
Details of the Alleged Breach
Last week, an individual under the alias ‘rose87168’ advertised the sale of stolen authentication data and encrypted passwords from 6 million Oracle Cloud users. They claimed that those possessing the stolen files could decrypt forged SSO and LDAP passwords, offering to aid in recovery efforts for those who could assist.
Extent of the Data Leak
The hacker released several text files containing a database, LDAP data, and a list of 140,621 domains purportedly impacted by the security breach. Among these domains, some appear to be test cases, with multiple entries per company.
Proof of Breach
The threat actor also provided a URL to a hosted text file on Oracle’s server at Archive.org. This file included their email address and substantiated claims of unauthorized file creation on Oracle’s systems, signaling a potential breach.
Oracle’s Denial and Contradictory Evidence
Oracle continues to deny any breach of its cloud services, asserting that “The published credentials do not relate to Oracle Cloud.” The company maintains that none of its cloud customers experienced a data breach. However, BleepingComputer’s investigations present contradictory evidence. They obtained further samples from the threat actor and verified the data’s accuracy with the affected companies under anonymity.
Communication with the Threat Actor
Emails shared with BleepingComputer indicated ongoing discussions between the threat actor and Oracle. One email revealed the threat actor alerting Oracle to a significant vulnerability they exploited to access data on 6 million users. Another email exchange involved a supposed Oracle representative acknowledging the communications.
Linked Vulnerability in Server Software
An independent cybersecurity firm, Cloudsek, discovered evidence supporting the alleged breach timeframe. They found that the “login.us2.oraclecloud.com” server, running Oracle Fusion Middleware 11g, showed signs of the CVE-2021-35587 vulnerability, which could have been exploited in the attack.
Repeated inquiries to Oracle from BleepingComputer have gone unanswered.
Further Analysis and Resources
Explore an in-depth analysis of techniques used in over 14 million malicious actions in the recently released Red Report 2025.
