- CloudSEK reports a potential breach, with a threat actor selling data allegedly stolen from Oracle.
- The firm warns of potential supply chain risks.
A suspected supply chain cyber incident that includes Oracle Cloud has drawn attention from cybersecurity researchers and enterprise users alike. According to cybersecurity firm CloudSEK, a threat actor identified as “rose87168” claims to have accessed and extracted sensitive data from Oracle Cloud systems, including files and passwords associated with over 140,000 customer environments.
The data—allegedly obtained from Oracle’s Single Sign-On (SSO) and Lightweight Directory Access Protocol (LDAP) systems—includes encrypted credentials, Java KeyStore (JKS) files, and Enterprise Manager JPS keys. CloudSEK says the attack affects tenants across multiple regions and industries, with six million records reportedly compromised.
The activity was first observed in March 2025. In addition to listing the data for sale, the attacker has also used an X account to follow Oracle-related profiles, a move researchers believe may be intended to identify or pressure affected organisations.
Ransom demands and potential exploits
CloudSEK’s report suggests the threat actor has been active since January 2025 and is now demanding payment from companies included in the dataset. The actor is also said to be requesting help to decrypt the credentials in exchange for sharing parts of the data.
The breach appears to have involved the “login.(region-name).oraclecloud.com” endpoint, which is usually used to authenticate users on Oracle Cloud platforms. CloudSEK suspects that the attacker exploited an Oracle WebLogic Server vulnerability to access login services across different regions.
While the actor has no prior known history, researchers have noted the use of advanced tactics and an awareness of Oracle’s infrastructure.
CloudSEK has assigned a high-severity rating to the incident, citing risks such as data leaks, unauthorised access, and broader supply chain vulnerabilities if the stolen credentials are decrypted. The exposure of key files could, in theory, allow attackers to compromise systems connected to affected Oracle environments.
In response, CloudSEK has recommended immediate action from organisations using Oracle Cloud. Suggested steps include resetting credentials, conducting forensic investigations, monitoring dark web sources for leaked data, and reinforcing access controls.
Oracle denies any breach of its cloud systems
Following reports of a possible breach, Oracle has responded by stating that no intrusion into its cloud infrastructure has occurred. A company spokesperson told The Register that the credentials circulating online are not linked to Oracle Cloud and that no customer data has been exposed.
“There has been no breach of Oracle Cloud,” the spokesperson said. “The published credentials are not for the Oracle Cloud. No Oracle Cloud customers experienced a breach or lost any data.”
The denial comes after a user claiming to be behind the incident posted on a cybercrime forum, offering what they described as Oracle Cloud customer data for sale. The individual also uploaded a file to one of Oracle’s login servers—specifically login.us2.oraclecloud.com—as apparent proof of access. The file contained an email address tied to the seller and was archived on the Internet Archive’s Wayback Machine earlier this year.
Security researchers explore possible entry points
Security analysts reviewing the claims noted that the affected Oracle Cloud login server appeared to be running Oracle Fusion Middleware 11G as recently as February 2025. CloudSEK believes the server may not have been patched against CVE-2021-35587, a known critical vulnerability in Oracle Access Manager’s OpenSSO Agent.
If unpatched, that vulnerability could allow an attacker to gain access without authentication via a publicly available exploit. Whether this route was used in the alleged intrusion has not been confirmed, and Oracle has not commented further on the security posture of its login servers.
Data listing and extortion attempts surface online
On March 21, a user going by “rose87168” listed six million records for sale on BreachForums, claiming the data included Java KeyStore files, encrypted SSO and LDAP passwords, and Enterprise Manager keys. While the exact number of potentially affected organisations remains unclear, the attacker shared domain names of companies allegedly caught in the exposure and suggested that those wishing to avoid publication could pay for their information to be removed.
No specific asking price has been disclosed publicly, but the attacker reportedly approached Oracle with a demand for more than $200 million in cryptocurrency in exchange for full disclosure of the attack. That request was not accepted.
The forum post also included a call for help in decrypting the credentials. The attacker claimed they were unable to access the full dataset themselves but offered to share portions of it with anyone willing to assist.
