A hacker claiming to have breached Oracle Cloud’s systems is selling what they say are 6 million stolen records containing sensitive security data. The breach allegedly affects over 140,000 businesses globally, though Oracle firmly denies the claims.
According to cybersecurity firm CloudSEK, which discovered the breach on March 21, the incident is being called “the biggest supply chain hack of 2025.” The threat actor, using the alias “rose87168,” claims to have exploited a vulnerability in Oracle WebLogic Server used for login pages.
What was stolen?
The stolen data reportedly includes:
- Java KeyStore (JKS) files containing cryptographic keys and certificates
- Encrypted Single Sign-On (SSO) passwords
- Encrypted LDAP passwords
- Enterprise Manager JPS keys
- Key files that could enable access to critical systems
The hacker accessed the systems through “login.(region-name).oraclecloud.com” endpoints, which handle Oracle account sign-ins.
Oracle’s response
Oracle has categorically denied any breach. “There has been no breach of Oracle Cloud,” a spokesperson told The Register. “The published credentials are not for the Oracle Cloud. No Oracle Cloud customers experienced a breach or lost any data.”
Despite Oracle’s denial, the hacker provided evidence suggesting otherwise. They created a text file on login.us2.oraclecloud.com in early March, captured by the Internet Archive’s Wayback Machine, containing their email address as apparent proof of access.
How the breach occurred
CloudSEK believes the server may not have been patched to close CVE-2021-35587, a critical vulnerability in Oracle Access Manager’s OpenSSO Agent. This security flaw can be exploited over HTTP without authentication, potentially giving hackers access to the type of information now being sold.
Similar Posts
Ransom demands
The hacker is demanding payments from affected companies to remove their data before it’s sold. They previously contacted Oracle about a month ago requesting over $200 million in cryptocurrency in exchange for breach details but were refused.
“The SSO passwords are encrypted, they can be decrypted with the available files,” the hacker claimed in their forum post. “Also LDAP hashed passwords can be cracked. I couldn’t do it, but if someone can tell me how to decrypt them, I can give them some of the data as a gift.”
Widespread impact
The alleged breach has triggered emergency responses from major organizations worldwide. In Australia, cyber professionals at the country’s largest banks, telecommunications providers, airlines, retailers and government departments scrambled on Sunday to check their systems after being named by the hacker.
Security recommendations
CloudSEK has assigned a “High” severity rating to the threat and recommends affected organizations:
- Reset all credentials
- Launch forensic investigations to identify unauthorized access
- Monitor dark web forums for leaked data
- Enforce strict access controls
- Immediately assess and mitigate exposure if using Oracle Cloud
The exposure presents serious risks, including mass data leaks, unauthorized system access, corporate espionage, and supply chain vulnerabilities that could allow attackers to compromise interconnected systems.
