A threat actor has reportedly breached Oracle Cloud infrastructure, exfiltrating six million sensitive authentication records and potentially endangering more than 140,000 enterprise customers. The attacker is now demanding ransom payments while actively marketing the stolen data on underground forums, according to threat intelligence firm CloudSEK.
Security researchers at CloudSEK’s XVigil team discovered the breach on March 21, 2025, when they identified a threat actor operating under the alias “rose87168” selling millions of records extracted from Oracle Cloud’s Single Sign-On (SSO) and Lightweight Directory Access Protocol (LDAP) systems.
The compromised data includes critical security components such as Java KeyStore (JKS) files, encrypted SSO passwords, key files, and Enterprise Manager Java Platform Security (JPS) keys – all essential elements for authentication and access control within the Oracle Cloud environment.
According to CloudSEK’s investigation, the attacker claims to have penetrated Oracle’s infrastructure by exploiting a vulnerability in the company’s login endpoints, specifically targeting the subdomain login.us2.oraclecloud.com. This subdomain was reportedly still operational as recently as February 17, 2025, despite running severely outdated software components.
“The threat actor has demonstrated sophisticated capabilities by targeting a critical authentication infrastructure,” said CloudSEK in their report. “They’re not only selling the data but also actively recruiting assistance to decrypt the stolen passwords, suggesting an organized and persistent threat operation.”
Oracle has denied the data breach. “There has been no breach of Oracle Cloud. The published credentials are not for the Oracle Cloud. No Oracle Cloud customers experienced a breach or lost any data,” an Oracle spokesperson said.
Known vulnerability exploited
The attack appears to leverage CVE-2021-35587, a critical vulnerability in Oracle Access Manager that was added to the Cybersecurity and Infrastructure Security Agency’s (CISA) Known Exploited Vulnerabilities catalog in December 2022. This particular vulnerability is especially dangerous as it allows unauthenticated attackers with network access via HTTP to completely compromise Oracle Access Manager instances, the report added.
Digital forensics evidence suggests the compromised server was running Oracle Fusion Middleware 11G, with components last updated in September 2014 – more than a decade ago. The significant lag in patch management created an opportunity for exploitation.
“Due to lack of patch management practices and/or insecure coding, the vulnerability in Oracle Fusion Middleware was exploited by the threat actor,” the CloudSEK report pointed out. “This easily exploitable vulnerability allows an unauthenticated attacker with network access via HTTP to compromise Oracle Access Manager. Successful attacks of this vulnerability can result in the takeover of Oracle Access Manager(OAM).”
CloudSEK in its report mentioned that the threat actor reportedly told an independent news source that they have exploited “a vulnerable version of the Oracle Cloud servers with a public CVE that does not currently have a public PoC or exploit.”
Internet archive records, cited in the report, confirmed that the compromised subdomain was hosting Oracle Fusion Middleware 11G as recently as February 2025, contradicting standard security practices of keeping critical infrastructure updated with the latest security patches.
Business impact and risks
In an alarming development, the threat actor has initiated an extortion campaign, contacting affected companies and demanding payment to remove their data from the stolen cache. This creates immediate financial pressure and complex legal and ethical decisions for victims regarding ransom payments.
To increase pressure on both Oracle and affected organizations, the attacker has established a presence on social media platform X (formerly Twitter), following Oracle-related accounts and presumably preparing to increase public visibility of the breach if ransom demands aren’t met.
“Companies affected by the breach can contact me to publicly verify if their data originates from Oracle Cloud, and I’ll remove it from my dataset slated for sale,” the hacker with the alias “rose87168” wrote in an X post.
With over 140,000 tenants potentially affected, the breach carries substantial supply chain implications, as compromised authentication mechanisms could allow attackers to pivot between connected organizations and systems. This multiplier effect dramatically increases the potential damage radius beyond the initial breach.
Recommended mitigation steps
CloudSEK has outlined a comprehensive response strategy for potentially affected organizations.
“The first priority is immediate credential rotation – resetting all passwords for LDAP user accounts, with particular attention to privileged accounts such as Tenant Administrators that could provide broad access across systems,” the report suggested.
Security teams should implement stronger authentication controls, including multi-factor authentication (MFA) and enhanced password policies. This helps mitigate the risk of credential reuse even if the stolen encrypted passwords are eventually decrypted by attackers.
The report also added that organizations must regenerate and replace all affected certificates, including any SSO, SAML, or OIDC secrets associated with the compromised LDAP configurations. This cryptographic hygiene is essential to restore trust in the authentication mechanisms.
“The sophistication of this attack highlights the continued challenges in securing cloud environments, particularly around authentication systems,” CloudSEK said in the report. “Organizations using Oracle Cloud services should treat this as a critical security incident requiring immediate action, regardless of whether they’ve been directly notified of compromise.”