Oracle is caught up in a cybersecurity mess proper now, with claims a few huge knowledge breach affecting its cloud infrastructure. Final week, Hackread.com published an article based mostly on the findings of cybersecurity agency CloudSEK revealing {that a} risk actor had stolen 6 million data from Oracle Cloud. The hacker, recognized as “rose87168“, claimed to have compromised a key Single Signal-On (SSO) endpoint, ensuing within the exfiltration of delicate knowledge together with SSO and LDAP credentials, OAuth2 keys, and buyer tenant info.
Oracle’s Agency Denial
Shortly after the story broke, Oracle issued a categorical denial, making a robust assertion that “There was no breach of Oracle Cloud.” The corporate maintained that the credentials printed by the risk actor weren’t related to Oracle Cloud and emphasised that no Oracle Cloud clients have been affected. This assertion straight contradicted the findings of CloudSEK, which had alerted the general public and Oracle through formal reviews.
CloudSEK’s Comply with-Up Investigation
Nevertheless, CloudSEK has doubled down on Oracle’s claims with a brand new follow-up evaluation, presenting what it calls “conclusive proof” of the breach. In a weblog submit, which the corporate shared with Hackread.com forward of its publishing on Monday, 25 March 2025, CloudSEK outlined how their researchers detected the risk actor’s actions on March 21, 2025.
In response to the cybersecurity agency, they traced the assault to a compromised manufacturing SSO endpoint (login.us2.oraclecloud.com), which the hacker exploited to steal data from greater than 140,000 tenants.
CloudSEK additionally discovered proof that the risk actor had actively used the compromised area to authenticate API requests through OAuth2 tokens, as seen in an archived public GitHub repository below Oracle’s official "oracle-quickstart" account. The endpoint was confirmed to be in use for manufacturing functions, contradicting Oracle’s assertion that the credentials have been unrelated to their infrastructure.
New Proof: Actual Buyer Information Confirmed
Probably the most noteworthy items of proof includes actual buyer domains that the hacker offered as samples. CloudSEK verified the domains in opposition to publicly accessible knowledge and located that they have been, the truth is, legitimate Oracle Cloud clients. A few of the domains recognized embody:
These domains have been current in GitHub repositories and Oracle associate documentation, and CloudSEK confirmed they weren’t mere dummy or canary accounts. Moreover, the compromised endpoint, login.us2.oraclecloud.com, was validated as an energetic manufacturing SSO setup, utilized in real-world configurations by OneLogin and Rainfocus.
The Influence and Considerations
The impression of this breach, if confirmed, may very well be severe. The publicity of 6 million data, together with encrypted SSO and LDAP passwords dangers unauthorized entry, espionage, and knowledge breaches throughout affected techniques. Moreover, the inclusion of JKS recordsdata and OAuth2 keys means attackers would possibly achieve long-term management over affected companies.
CloudSEK warns that the compromised credentials may probably be cracked and reused in a approach that poses additional dangers to enterprise environments. The hacker can be reportedly demanding ransom payments from affected companies to delete the stolen knowledge, amplifying each monetary and reputational threats.
CloudSEK’s Stance: Proof over Hypothesis
In response to Oracle’s denial, Rahul Sasi, CEO of CloudSEK, said that the corporate is concentrated on offering transparency and proof reasonably than hypothesis. CloudSEK has been sharing its findings via public reviews and free instruments to assist organizations assess whether or not they’re affected.
Moreover, Rahul recommends firms change their SSO and LDAP credentials instantly and arrange multi-factor authentication (MFA) so as to add further safety. It’s additionally necessary to take a more in-depth have a look at logs to identify any uncommon exercise associated to the compromised endpoint. Keeping track of dark web forums for any indicators of leaked knowledge is an efficient transfer too. On high of that, it’s a good suggestion to get in contact with Oracle Safety to determine any weak spots and repair them.
Hackread.com has reached out to Oracle. Keep tuned for updates!
