Despite Oracle’s denial of a data breach, multiple companies have independently verified the authenticity of data allegedly stolen from Oracle Cloud servers. This confirmation casts serious doubt on Oracle’s public statements and raises significant concerns about the security of their cloud infrastructure.
The Alleged Breach and Oracle’s Denial
A threat actor, using the moniker “rose87168,” claimed responsibility for a breach affecting Oracle Cloud servers, alleging the theft of authentication data and encrypted passwords for approximately 6 million users.
The actor offered samples of the purportedly stolen data, including database records, LDAP data, and a list of over 140,000 domains belonging to various companies and government agencies. The threat actor also provided an Archive.org URL linking to a file on an Oracle server containing their email address, suggesting they had direct access to the system.
Oracle, however, vehemently denied the breach in a statement to BleepingComputer: “There has been no breach of Oracle Cloud. The published credentials are not for the Oracle Cloud. No Oracle Cloud customers experienced a breach or lost any data.”
Independent Verification Confirms Authenticity of Data
BleepingComputer independently investigated these claims. They obtained additional data samples from the threat actor and contacted several affected companies. Under the condition of anonymity, representatives from these companies confirmed the validity of the leaked data. They verified that the LDAP display names, email addresses, given names, and other identifying information were accurate and belonged to their organizations.
This independent verification directly contradicts Oracle’s official denial.
Evidence Suggesting a Breach
Further evidence supporting the breach includes:
- Email Exchanges: The threat actor shared email communications with BleepingComputer, including an email sent to Oracle’s security alert email address (secalert_us@oracle.com) reporting the alleged breach. The email stated, “I’ve dug into your cloud dashboard infrastructure and found a massive vulnerability that has handed me full access to info on 6 million users.” Another email thread, though with one party’s identity unverified, suggests further communication between the threat actor and someone claiming to be from Oracle.
- Vulnerable Software: Security firm Cloudsek discovered an Archive.org URL showing that the server “login.us2.oraclecloud.com” was running Oracle Fusion Middleware 11g as of February 17, 2025. This version is known to be vulnerable to CVE-2021-35587, which allows unauthenticated attackers to compromise Oracle Access Manager. The threat actor claimed to have exploited this vulnerability. The server has since been taken offline by Oracle.
Despite repeated attempts by, Oracle has not responded to requests for comment on this evidence.
Implications and Concerns
The confirmation of the data breach raises serious concerns about the security of Oracle’s cloud services and the accuracy of their public statements. The lack of transparency and responsiveness from Oracle further exacerbates these concerns. Organizations utilizing Oracle Cloud services should conduct thorough security audits and review their security posture in light of this incident.
