Hacker Claims Oracle Cloud Breach, Allegedly Steals 6 Million Records; Oracle Denies Incident

Sunita Somvanshi

A hacker claiming to have breached Oracle Cloud’s systems is selling what they say are 6 million stolen records containing sensitive security data. The breach allegedly affects over 140,000 businesses globally, though Oracle firmly denies the claims.

According to cybersecurity firm CloudSEK, which discovered the breach on March 21, the incident is being called “the biggest supply chain hack of 2025.” The threat actor, using the alias “rose87168,” claims to have exploited a vulnerability in Oracle WebLogic Server used for login pages.

What was stolen?

The stolen data reportedly includes:

  • Java KeyStore (JKS) files containing cryptographic keys and certificates
  • Encrypted Single Sign-On (SSO) passwords
  • Encrypted LDAP passwords
  • Enterprise Manager JPS keys
  • Key files that could enable access to critical systems

The hacker accessed the systems through “login.(region-name).oraclecloud.com” endpoints, which handle Oracle account sign-ins.

Oracle’s response

Oracle has categorically denied any breach. “There has been no breach of Oracle Cloud,” a spokesperson told The Register. “The published credentials are not for the Oracle Cloud. No Oracle Cloud customers experienced a breach or lost any data.”

Despite Oracle’s denial, the hacker provided evidence suggesting otherwise. They created a text file on login.us2.oraclecloud.com in early March, captured by the Internet Archive’s Wayback Machine, containing their email address as apparent proof of access.

How the breach occurred

CloudSEK believes the server may not have been patched to close CVE-2021-35587, a critical vulnerability in Oracle Access Manager’s OpenSSO Agent. This security flaw can be exploited over HTTP without authentication, potentially giving hackers access to the type of information now being sold.


Similar Posts


Ransom demands

The hacker is demanding payments from affected companies to remove their data before it’s sold. They previously contacted Oracle about a month ago requesting over $200 million in cryptocurrency in exchange for breach details but were refused.

“The SSO passwords are encrypted, they can be decrypted with the available files,” the hacker claimed in their forum post. “Also LDAP hashed passwords can be cracked. I couldn’t do it, but if someone can tell me how to decrypt them, I can give them some of the data as a gift.”

Widespread impact

The alleged breach has triggered emergency responses from major organizations worldwide. In Australia, cyber professionals at the country’s largest banks, telecommunications providers, airlines, retailers and government departments scrambled on Sunday to check their systems after being named by the hacker.

Security recommendations

CloudSEK has assigned a “High” severity rating to the threat and recommends affected organizations:

  • Reset all credentials
  • Launch forensic investigations to identify unauthorized access
  • Monitor dark web forums for leaked data
  • Enforce strict access controls
  • Immediately assess and mitigate exposure if using Oracle Cloud

The exposure presents serious risks, including mass data leaks, unauthorized system access, corporate espionage, and supply chain vulnerabilities that could allow attackers to compromise interconnected systems.

Frequently Asked Questions

What exactly happened in the Oracle Cloud breach?
+

A hacker using the alias “rose87168” claims to have exploited a vulnerability in Oracle WebLogic Server to steal 6 million records from Oracle Cloud’s Single Sign-On (SSO) and LDAP systems. The stolen data reportedly includes Java KeyStore files, encrypted passwords, and security keys. Oracle denies any breach occurred, while the hacker has provided some evidence suggesting access to Oracle systems. CloudSEK, a cybersecurity firm, discovered the breach on March 21.

How many businesses are affected by this breach?
+

According to CloudSEK, over 140,000 businesses across multiple regions and industries are potentially at risk from this breach. These include major banks, telecommunications companies, airlines, retailers, and government departments. In Australia alone, companies like Telstra, Optus, Qantas, Woolworths, Coles, and the Australian Securities Exchange were reportedly scrambling to check their systems after being named by the hacker.

What is Oracle saying about the breach?
+

Oracle has categorically denied any breach occurred. An Oracle spokesperson told The Register: “There has been no breach of Oracle Cloud. The published credentials are not for the Oracle Cloud. No Oracle Cloud customers experienced a breach or lost any data.” Despite this denial, the hacker claims to have contacted Oracle about a month ago requesting over $200 million in cryptocurrency for information about the breach, which Oracle reportedly refused.

What evidence exists that the breach actually happened?
+

The hacker created a text file on an Oracle Cloud login server (specifically login.us2.oraclecloud.com) containing their email address, which was captured by the Internet Archive’s Wayback Machine in early March 2025. They’ve also shared samples of allegedly stolen information on hacking forums. CloudSEK’s investigation suggests the server may not have been patched to close CVE-2021-35587, a known critical vulnerability in Oracle Access Manager that could potentially allow the type of access claimed.

What should affected businesses do right now?
+

CloudSEK recommends several immediate actions: reset all credentials, launch forensic investigations to identify any unauthorized access, monitor dark web forums for leaked data, enforce strict access controls, and assess exposure if using Oracle Cloud. Companies should also patch any vulnerabilities in Oracle WebLogic or associated systems and implement multi-factor authentication where possible.

What are the potential risks if the breach is confirmed?
+

The risks include mass data leaks, unauthorized access to systems, corporate espionage, and supply chain vulnerabilities. If the encrypted SSO and LDAP passwords are cracked, attackers could gain deeper access to Oracle Cloud environments. The compromised JKS files and security keys could allow attackers to compromise interconnected systems, potentially affecting partners and customers. Businesses also face financial and reputational damage from the hacker’s extortion demands.

Leave a comment