Though it is still early in 2025, a recent hack of Oracle Cloud is thus far one of the year’s biggest data breaches with six million records stolen by attackers and around 140,000 tenants impacted.
The cause of the data breach is thought to be a previously known vulnerability that has existed since 2014. The threat actor compromised an Oracle Cloud subdomain and stole encrypted passwords, and was discovered on an underground forum asking for help in cracking them as well as attempting to ransom victims and sell off other types of stolen data.
Oracle Cloud compromise traced to old vulnerability
The data breach was uncovered by researchers with security firm CloudSEK, who came across dark web listings on March 21 that advertised some six million records purportedly stolen from Oracle Cloud. The threat actor, going by “rose87168,” claimed to have compromised subdomain “login.us2.oraclecloud.com” and exfiltrated the records from its Single Sign-On (SSO) and Lightweight Directory Access (LDAP) protocols. That subdomain has since been taken offline by Oracle.
The attacker has offered a number of purloined file types and credentials for sale: JKS files, encrypted SSO passwords, key files, and enterprise manager JPS keys. They also posted seeking assistance with cracking the encrypted passwords they stole and offering a reward. The data breach additionally may impact some 140,000 Oracle Cloud tenants, and the threat actor appears to be attempting to ransom some of them.
A check of the hacked subdomain’s Wayback Machine archive by the researchers determined that it was hosting Oracle fusion middleware 11G, which stopped receiving security support and updates in January 2022. It was found to have a critical vulnerability in its Oracle Access Manager component, CVE-2021-35587, which was publicly disclosed in December 2022 and allows an attacker to completely take control. The researchers describe this vulnerability as “easily exploitable” making it a prime suspect as the cause of the data breach, but the attackers boasted that they had made use of a different public CVE that did not have a known exploit. After further exploration led to the discovery that the Oracle middleware had not actually been patched since 2014, the researchers determined that the attackers made use of a different vulnerability that was published that year, which only had one single known prior public exploit.
Oracle data breach demonstrates even the biggest organizations still struggle with timely patching
Oracle has issued statements to the media claiming that Oracle Cloud was never breached, but has yet to specifically respond to seemingly convincing proof that the threat actors posted (in the form of internal LDAP information, database samples and a client list as well as a URL sent to journalists by the attackers that was created on the compromised subdomain). CloudSEK has since followed up with a “deep dive” report that presents more detailed evidence of the data breach.
The hackers also claim they have already attempted to extort Oracle themselves over the data breach, but were turned down. They claim to have offered Oracle all the information needed to fix and patch the vulnerability in return for 100,000 XMR (about $22.5 million USD as of this writing) but were rejected.
In the meantime, it remains unclear exactly how many of the 140,000 potentially impacted Oracle Cloud clients had data stolen in follow-on attacks. Thus far there are not any known companies that have come forward to confirm their own data breaches, but at the moment the attackers appear to still be attempting to ransom at least some of the victims. The type of keys that they claim to have stolen would make it relatively trivial to walk into certain portions of the systems of downstream clients who were not yet aware of the breach.
Heath Renfrow, CISO and Co-founder at Fenix24, expands on the overall threat that this data breach presents: “Regardless of Oracle’s position, the presence of a threat actor-uploaded file in the webroot of what appears to be an Oracle Cloud Infrastructure (OCI) login subdomain is deeply concerning. This detail, coupled with the public availability of sensitive data on forums, raises valid questions about the scope of compromise and whether customers with federated login configurations could be at risk.”
The CloudSEK researchers suggest that potentially impacted Oracle Cloud clients immediately reset the passwords of all LDAP user accounts, and take the opportunity to ensure password policies and MFA implementation are suitably up to date. They also suggest regenerating SASL/MD5 hashes or implementing a more secure authentication method. Oracle support should also be contacted to rotate tenant-specific identifiers and get any further updates on remediation measures. LDAP logs should be continuously monitored for suspicious authentication attempts, as well as the dark web forums on which the attackers are threatening victims and attempting to sell off their stolen data.
Ensar Seker, CISO at SOCRadar, provides some further advice: “This incident could become 2025’s SolarWinds moment, especially if we confirm that multiple enterprises were breached via their Oracle Cloud instances. We’re looking at a case that undermines trust in critical cloud infrastructure, and once again underscores how a single vulnerability in a widely used platform can cascade across thousands of organizations. This also raises a pressing question: How soon did Oracle know? How was this vulnerability triaged, and were any proactive mitigations communicated before this data was already on the dark web? One of the important questions is what affected companies can do? 1. Incident Response at the Tenant Level: Every affected company must immediately rotate all credentials, access keys, and tokens related to Oracle services. Assume compromise and move quickly. 2. Monitor for Reuse and Exposure: Expect these stolen credentials to surface in stealer logs, dark web marketplaces, and brute-force tools. Deploy threat intelligence platforms to track brand mentions and leaked credentials. 3. Demand Vendor Transparency: Customers should pressure Oracle to release a full technical breakdown, including a timeline, affected services, and patching instructions. Transparency now will be critical for restoring trust. 4. Rethink Cloud Security Assumptions: CISOs must treat third-party platforms with the same scrutiny as internal systems. That means continuous monitoring, vulnerability scanning, and more aggressive red teaming of cloud-based assets.”
Patrick Tiquet, Vice President, Security & Architecture at Keeper Security, adds: “Organizations using cloud services must ensure strong password management policies, enforce least-privilege access and protect credentials with robust encryption. A zero-trust approach, where access is continuously verified, helps mitigate the risk of unauthorized access, even if credentials are compromised. A layered security model that includes Privileged Access Management (PAM), Multi-Factor-Authentication (MFA) and strong encryption is vital for minimizing the impact of a breach. Automated credential rotation using a PAM solution reduces exposure and strong access controls for privileged resources limit the potential damage if a cyber-attack occurs.”
The Oracle Cloud attack is on pace to be one of 2025’s biggest data breaches, possibly on the scale of the MOVEit breach if enough clients turn out to be impacted. Other major breaches thus far include the public exposure of the data of millions of people who collectively have several “stalkerware” apps unwittingly installed on their phones, and an attack on New England-based patient care provider Community Health Center that resulted in the theft of about a million patient records.
