Published on: March 27, 2025
Cybersecurity firm CyberSEK uncovered a massive breach of six million sensitive records from Oracle Cloud, affecting more than 140,000 customers.
The breach involved the subdomain login.us2.oraclecloud.com, and CloudSEK believes the hacker used a known security flaw called CVE-2021-35587. This flaw is found in Oracle Access Manager, and it’s been left unattended since 2014.
The stolen data reportedly includes encrypted passwords, security keys, and other confidential, high-value information. The threat actor, known as “rose87168”, began selling the stolen data on March 21 and has requested help decrypting information.
“Additionally, the threat actor offered an incentive to anyone that helped them decrypt the SSO passwords, and/or crack the LDAP passwords… [which] if cracked, could enable further breaches across Oracle Cloud environments,” CyberSEK’s report read.
However, the company itself has denied the breach occurred.
“There has been no breach of Oracle Cloud. The published credentials are not for the Oracle Cloud. No Oracle Cloud customers experienced a breach or lost any data,” it said in a statement.
Despite this vehement statement, actual customers of Oracle Cloud have confirmed that their data was leaked, and even came from live systems.
Jake Williams, a researcher at IANS and VP of R&D at Hunter Strategy, said he’s confident Oracle’s systems were breached — despite the company denying it.
“There is direct evidence that a threat actor was able to upload data to the web root of a login server that was being actively used, so it can’t just be a ‘legacy endpoint’ as some have suggested,” he said.
CloudSEK recommends anyone potentially impacted immediately change all credentials, begin threat monitoring, and strengthen access controls company-wide.