A massive security breach in Oracle Cloud has put over 140,000 enterprise customers at risk. A hacker exploited a vulnerability in Oracle’s middleware, gaining access to sensitive authentication records and demanding ransom from affected organizations.
Oracle Cloud Breach: A Major Cybersecurity Threat
According to threat intelligence firm CloudSEK, an attacker infiltrated Oracle Cloud’s login infrastructure, exfiltrating six million authentication records. The stolen data is now being marketed on underground forums, posing serious security concerns for businesses relying on Oracle’s cloud services.
Security researchers at CloudSEK’s XVigil team identified the breach on March 21, 2025. The hacker, using the alias “rose87168,” was found selling authentication records extracted from Oracle Cloud’s Single Sign-On (SSO) and Lightweight Directory Access Protocol (LDAP) systems.
The compromised data includes:
Java KeyStore (JKS) files
Encrypted SSO passwords
Key files
Enterprise Manager Java Platform Security (JPS) keys
These elements are critical for authentication and access control within Oracle Cloud, making this breach highly concerning.
How the Attack Happened
CloudSEK’s investigation suggests that the attacker exploited a vulnerability in Oracle’s login endpoints, specifically targeting the subdomain login.us2.oraclecloud.com. The subdomain remained active as of February 17, 2025, despite running outdated software components.
“The threat actor has demonstrated advanced skills by breaching Oracle’s authentication infrastructure,” CloudSEK stated. “They are not only selling the data but also seeking help to decrypt stolen passwords, indicating a well-organized cybercriminal operation.”
Despite these findings, Oracle has denied the breach. “There has been no breach of Oracle Cloud. The published credentials are not related to Oracle Cloud. No Oracle Cloud customers have experienced a breach or data loss,” an Oracle spokesperson claimed.
Exploited Vulnerability: CVE-2021-35587
The attack appears to have exploited CVE-2021-35587, a critical flaw in Oracle Access Manager. This vulnerability was listed in the Cybersecurity and Infrastructure Security Agency’s (CISA) Known Exploited Vulnerabilities catalog in December 2022.
The flaw allows unauthenticated attackers to take complete control of Oracle Access Manager instances via HTTP. CloudSEK’s digital forensics indicate that the breached server was running Oracle Fusion Middleware 11G, last updated in September 2014—more than a decade ago. This significant delay in patching left Oracle’s system open to attack.
“The vulnerability in Oracle Fusion Middleware allowed the hacker to take control of Oracle Access Manager,” CloudSEK reported. “The lack of timely patching made exploitation possible.”
Furthermore, the hacker claimed they targeted a publicly known vulnerability that currently has no available proof-of-concept (PoC) or exploit.
Business Impact and Risks
The hacker has initiated an extortion campaign, contacting affected organizations and demanding ransom in exchange for removing their stolen data from underground marketplaces.
To apply additional pressure, the attacker has become active on X (formerly Twitter), interacting with Oracle-related accounts. Their goal is to increase public awareness of the breach, potentially damaging Oracle’s reputation.
“Organizations affected by the breach can contact me to verify if their data is included in the leaked database,” the hacker wrote in a social media post.
With over 140,000 Oracle Cloud tenants potentially impacted, this breach has significant supply chain security risks. If authentication mechanisms are compromised, attackers could gain access to interconnected systems, increasing the scope of damage.
Mitigation and Security Measures
CloudSEK has provided a set of security recommendations for affected organizations:
Immediate Credential Rotation: All LDAP user account passwords must be reset, especially privileged accounts like Tenant Administrators.
Stronger Authentication Controls: Implement multi-factor authentication (MFA) and stricter password policies to reduce the risk of credential misuse.
Regenerate Security Certificates: Any affected SSO, SAML, or OIDC secrets should be revoked and replaced to prevent unauthorized access.
Patch Management: Organizations should regularly update their Oracle Cloud instances and middleware to close security gaps.
Security Monitoring: Continuous monitoring of authentication logs and user access patterns can help detect suspicious activity early.
Conclusion
This breach underscores the persistent cybersecurity challenges in cloud environments, especially in authentication systems. Businesses using Oracle Cloud services should take this incident seriously and implement immediate security measures to safeguard their data.
As attackers become more sophisticated, proactive security strategies are essential to prevent unauthorized access and mitigate risks in cloud infrastructures.
Follow us on 
(Twitter) for real time updates and exclusive content.
Interesting Article : Microsoft’s Code-Signing Service Misused for Malware Attacks