A significant Oracle Cloud breach has exposed 6 million records, impacting over 140,000 businesses. Cybersecurity firm CloudSEK identified the attack, labeling it the “biggest supply chain hack of 2025.” The attacker, known as “rose87168,” is actively selling the stolen data online.
Details of the Oracle Cloud Breach
The breach targeted Oracle Cloud’s Single Sign-On (SSO) and Lightweight Directory Access Protocol (LDAP) systems. Stolen data includes files, passwords, Java KeyStore (JKS) files, encrypted SSO passwords, key files, and Enterprise Manager JPS keys. The attacker exploited a vulnerability in Oracle Weblogic Server, targeting the login.(region-name).oraclecloud.com endpoint used for Oracle account logins.
The threat actor, active since January 2025, is not only selling the data but also offering decryption assistance and demanding ransoms for data removal. They even created an X (formerly Twitter) page to follow Oracle-related accounts, potentially for harassment or targeting purposes.
Impact and Severity
This Oracle Cloud breach poses significant risks to affected organizations. The exposed data could lead to data leaks, unauthorized access, corporate espionage, and further system infiltration if the encrypted passwords are cracked. The compromised JKS and key files introduce supply chain vulnerabilities, potentially compromising interconnected systems. CloudSEK assigned a “High” severity rating to this incident due to its scale and potential for widespread damage.
Mitigation and Recommendations
CloudSEK recommends immediate action for affected organizations:
- Reset credentials.
- Conduct forensic investigations to identify unauthorized access and halt further exploitation.
- Monitor the dark web for leaked data.
- Enforce strict access controls.
Organizations using Oracle Cloud should assess and mitigate their exposure immediately. The scale of this breach underscores the critical need for robust security measures within cloud environments.
