Oracle Cloud Breach Allegations: Unraveling the Controversy
The alleged data breach involving Oracle Cloud has stirred significant controversy in the cybersecurity community. A threat actor, identified as ‘rose87168’, claimed responsibility for accessing Oracle’s federated Single Sign-On (SSO) login servers, allegedly compromising sensitive information of approximately 6 million users. This includes authentication data and encrypted passwords, which the actor suggested could be decrypted with additional exfiltrated information (BleepingComputer). Despite these claims, Oracle has firmly denied any breach, asserting that no customer data was compromised and that the credentials in question did not originate from their Cloud services (The Register). This denial has been met with skepticism, as security researchers and affected companies have provided evidence supporting the breach claims, including the validity of data samples shared by the threat actor (CloudSEK).
Unpacking the Alleged Breach: Claims and Counterclaims
Claims of the Breach
The alleged breach of Oracle Cloud has been a contentious issue, with a threat actor known as ‘rose87168’ claiming responsibility for the unauthorized access and theft of data. The actor asserted that they had breached Oracle Cloud servers, specifically targeting the federated Single Sign-On (SSO) login servers, and obtained sensitive information, including authentication data and encrypted passwords for approximately 6 million users (BleepingComputer). The threat actor further claimed that the stolen SSO and LDAP (Lightweight Directory Access Protocol) passwords could be decrypted using information contained within the exfiltrated files, offering to share some of the data with parties capable of assisting in their recovery.
In support of these claims, the threat actor released multiple text files purportedly containing a database, LDAP data, and a list of 140,621 domains of companies allegedly impacted by the breach (BleepingComputer). Additionally, a URL to a text file hosted on Oracle’s server was shared, indicating the actor’s ability to create files on Oracle’s infrastructure, thus suggesting an actual breach.
Counterclaims by Oracle
Oracle has consistently denied any breach of its Cloud services, maintaining that no customer data was compromised. The company stated that the published credentials were not from Oracle Cloud, and no Oracle Cloud customers experienced a breach or data loss (The Register). Oracle’s spokesperson reiterated, “There has been no breach of Oracle Cloud,” directly contradicting the claims made by the threat actor and some security researchers.
Despite the mounting evidence presented by the threat actor and corroborated by some companies, Oracle has refused to acknowledge any security incident. The company’s steadfast denial has fueled further debate and skepticism among cybersecurity experts and affected parties.
Evidence Supporting the Breach Claims
Security researchers, including those from CloudSEK, have provided additional evidence supporting the hacker’s claim of exfiltrating 6 million records. CloudSEK’s investigation revealed a possible undisclosed vulnerability on Oracle’s login servers, which may have facilitated unauthorized access (CloudSEK). The researchers assessed the threat actor’s methods as highly sophisticated, rating the incident as high in severity.
Furthermore, BleepingComputer confirmed with multiple companies that the data samples shared by the threat actor were valid, with representatives verifying the authenticity of the information under the promise of anonymity (BleepingComputer). These confirmations have cast doubt on Oracle’s denial, as the associated LDAP display names, email addresses, and other identifying information were found to be accurate.
Discrepancies and Doubts
The discrepancies between Oracle’s statements and the evidence presented by the threat actor and security researchers have led to significant doubts about the company’s denial. Experts have questioned Oracle’s refusal to acknowledge the breach, especially given the corroborated evidence of data authenticity and the threat actor’s ability to create files on Oracle’s server (The Register).
Alon Gal, co-founder and CTO at Hudson Rock, received a 10,000-line sample of the allegedly stolen data, further validating the claims of a breach. This sample included customer security keys, encrypted credentials, and LDAP entries, all of which were consistent with the threat actor’s assertions (The Register).
Implications and Industry Reactions
The alleged breach has significant implications for Oracle and its customers, raising concerns about the security of cloud services and the potential impact on affected companies. The incident has sparked a war of words between Oracle and security researchers, with the latter challenging the company’s denial and urging for greater transparency and accountability (ITPro).
Industry experts have called for a thorough investigation into the alleged breach, emphasizing the need for Oracle to address the vulnerabilities and enhance its security measures to prevent future incidents. The situation underscores the importance of robust cybersecurity practices and the potential risks associated with cloud computing environments.
In conclusion, the ongoing dispute between Oracle and the threat actor highlights the complexities of cybersecurity incidents and the challenges in verifying and responding to breach claims. As the situation unfolds, the industry will be closely monitoring Oracle’s actions and the potential repercussions for cloud security standards.
Final Thoughts
The Oracle Cloud breach allegations underscore the complexities and challenges inherent in cybersecurity today. While Oracle maintains its stance of no breach, the evidence presented by security researchers and corroborated by affected companies paints a different picture. This situation highlights the critical need for transparency and robust security measures in cloud services. As the debate continues, the industry watches closely, recognizing the potential implications for cloud security standards and the importance of addressing vulnerabilities to prevent future incidents (ITPro). The ongoing discourse between Oracle and cybersecurity experts serves as a reminder of the evolving nature of cyber threats and the necessity for continuous vigilance and innovation in security practices.
References
- BleepingComputer. (2025). Oracle customers confirm data stolen in alleged cloud breach is valid. https://www.bleepingcomputer.com/news/security/oracle-customers-confirm-data-stolen-in-alleged-cloud-breach-is-valid/
- The Register. (2025). Oracle Cloud customers’ keys and credentials. https://www.theregister.com/2025/03/23/oracle_cloud_customers_keys_credentials/
- CloudSEK. (2025). The biggest supply chain hack of 2025: 6M records for sale exfiltrated from Oracle Cloud affecting over 140k tenants. https://www.cloudsek.com/blog/the-biggest-supply-chain-hack-of-2025-6m-records-for-sale-exfiltrated-from-oracle-cloud-affecting-over-140k-tenants
- ITPro. (2025). Oracle breach: CloudSEK. https://www.itpro.com/security/data-breaches/oracle-breach-cloudsek
