Oracle has denied allegations that its public cloud services were compromised and sensitive customer data was stolen, despite mounting evidence that suggests otherwise.
A cybercriminal recently claimed to have gained access to Oracle Cloud’s single-sign-on (SSO) login servers and extracted vast amounts of sensitive information — which is now reportedly up for sale on a notorious cybercrime forum.
CloudSEK reported that a hacker, operating under the alias “rose87168,” claims to be selling six million records purportedly stolen from Oracle Cloud systems, a service vital for businesses managing their online infrastructure.
However, Oracle denied these claims, asserting the integrity of its cloud security.
“There has been no breach of Oracle Cloud,” the company said.
“The published credentials are not for the Oracle Cloud. No Oracle Cloud customers experienced a breach or lost any data.”
However, these claims are being challenged by a series of alarming developments that surfaced late last week, when a cybercriminal going by the alias “rose87168” advertised on BreachForums, a popular online marketplace for stolen data, that they had obtained sensitive Oracle Cloud data.
According to the miscreant, the data was exfiltrated from at least one Oracle Cloud login server, specifically login.us2.oraclecloud.com, by exploiting a known security vulnerability in Oracle Fusion Middleware.
As reported by BleepingComputer, the attacker went a step further to substantiate their claims by allegedly creating and uploading a text file to Oracle Cloud’s US2 login server, which was subsequently captured by the Internet Archive’s Wayback Machine in early March.
The file reportedly contained nothing more than the attacker’s email address — a move seemingly intended to prove that they had compromised the server.
The attacker claimed that the stolen data was siphoned off from the EM2 and US2 login servers, potentially affecting thousands of Oracle Cloud customers. Samples of the allegedly stolen information, including security keys and credentials, were shared by the attacker to entice potential buyers.
Security researchers at CloudSEK speculated that the US2 server was running an unpatched version of Oracle Fusion Middleware 11G as recently as February 2025. The server may have been vulnerable to CVE-2021-35587, a critical security flaw in Fusion Middleware’s Oracle Access Manager, specifically in its OpenSSO Agent.
This vulnerability, which can be exploited over HTTP without authentication, could potentially grant an attacker access to highly sensitive data — precisely the kind of information that the hacker is now claiming to have obtained. Public exploit code for this vulnerability has been available since 2021.
On Thursday, the attacker listed what was purported to be six million records of Oracle Cloud customers’ data on BreachForums. The alleged haul included:
- Java KeyStore (JKS) files containing security certificates and keys
- Encrypted Oracle Cloud SSO passwords
- Encrypted LDAP passwords
- Enterprise Manager JPS keys
- Other sensitive information linked to Oracle Cloud customers
The exact number of potentially affected customers remains unclear, though initial estimates suggest it could be in the thousands.
In a brazen move, rose87168 is not only attempting to sell the alleged stolen data but also reportedly contacted Oracle about a month ago, demanding over $200 million in cryptocurrency in exchange for details about the alleged breach. Oracle, however, rejected the demand.
The attacker also made an unusual request for assistance in decrypting the encrypted credentials they allegedly obtained.
Oracle, which provides cloud services to businesses worldwide, including government agencies and Fortune 500 companies, has not publicly acknowledged any shortcomings in its cloud security infrastructure. The company, like many other cloud service providers, has been increasingly promoting a subscription model that emphasizes stringent security and compliance measures. However, this incident — whether proven true or not — raises fresh concerns about the robustness of Oracle’s cloud security posture.
The implications of this alleged breach are profound.
The compromised data could enable unauthorized access to company systems, leading to further data exfiltration. If the encrypted passwords are successfully cracked, hackers could gain access to numerous interconnected systems, amplifying the potential damage. The hacker’s demands for payment pose significant financial and reputational risks to affected companies. The stolen files could facilitate attacks on interconnected systems, impacting a wide range of businesses.
Cybersecurity experts are urging Oracle Cloud customers to remain vigilant, recommending that they review their access controls and consider rotating credentials as a precautionary measure.
You must be logged in to post a comment.