On March 21, 2025, the cybersecurity world was rocked by reports of a significant breach targeting Oracle Cloud’s Single Sign-On (SSO) and Lightweight Directory Access Protocol (LDAP) systems. This incident, which allegedly impacted over 140,000 tenants across multiple industries, has sparked intense debate and controversy in the tech community.

At CPX, our Threat Intelligence team has conducted an in-depth investigation into this breach, analyzing available intelligence from multiple sources, including BreachForums, to provide a comprehensive overview of the situation.

The initial claims

A threat actor operating under the alias “rose87168” claimed to have exfiltrated approximately 6 million records from Oracle Cloud's authentication systems. The stolen data allegedly included:

-          Java KeyStore (JKS) files

-          Encrypted SSO passwords

-          Encrypted LDAP passwords

-          Enterprise Manager JPS keys

The attacker stated that they exploited a vulnerability in Oracle Cloud's login infrastructure, specifically targeting the endpoint login.(region-name).oraclecloud.com.

The vulnerability: CVE-2021-35587

The prevailing theory is that the breach could be related to CVE-2021-35587, a critical vulnerability in Oracle Access Manager, which is part of Oracle Fusion Middleware. This vulnerability was added to CISA's Known Exploited Vulnerabilities catalog in late 2022 due to its potential to allow attackers to fully compromise affected systems.

Oracle's official response

Oracle quickly denied the breach claims. In a statement to BleepingComputer and other outlets, Oracle stated: “There has been no breach of Oracle Cloud. The published credentials are not for the Oracle Cloud. No Oracle Cloud customers experienced a breach or lost any data.”

Oracle maintained that the attacker's “proof” was merely a text file containing a ProtonMail address, which appeared via the Wayback Machine but did not contain any Oracle customer data.

The controversy unfolds

Despite Oracle's denials, several pieces of evidence have emerged that challenge the company's stance:

1. Customer confirmations: BleepingComputer reported that multiple companies confirmed the authenticity of data samples shared by the threat actor.

2. Server configuration: An archive.org URL showing that the “login.us2.oraclecloud.com” server was running Oracle Fusion Middleware 11g as of February 17, 2025. This version was known to be vulnerable to CVE-2021-35587.

3. Email exchanges: The threat actor shared emails with BleepingComputer, claiming to be part of an exchange between them and Oracle's security team.

4. GitHub evidence: An archived GitHub repository from Oracle’s official ‘oracle-quickstart’ account features a script (mpapihelper.py) that uses login.us2.oraclecloud.com for OAuth2 token generation

5. Sample Data Disclosure: The threat actor shared three files, Sample_LDAP.txt, Company.List.txt, and Sample_Database.txt, as proof of access. These contain sensitive LDAP entries, user credentials, and enterprise identity metadata allegedly linked to Oracle Cloud environments.

Potential impact and implications

If the breach claims are accurate, the potential impact is severe:

• Over 140,000 Oracle Cloud tenants could be affected.
• Compromised authentication infrastructure could provide attackers with a gateway into multiple organizations' systems.
• The incident highlights the risks posed by unpatched legacy systems in cloud environments.

Mitigation strategies and next steps

While the full extent of the breach remains unclear, organizations using Oracle Cloud services should take immediate action:

1.      Rotate credentials: Change all passwords and encryption keys associated with Oracle Cloud services.

2.      Enable MFA: Implement multi-factor authentication for all cloud access points.

3.      Audit access logs: Review authentication logs for any suspicious activity.

4.      Patch systems: Ensure all Oracle Cloud components are updated to the latest versions.

5.      Enhance monitoring: Implement additional security monitoring for cloud-based assets.

Conclusion

The alleged Oracle Cloud breach of 2025 serves as a stark reminder of the complexities and vulnerabilities inherent in modern cloud ecosystems. While Oracle continues to deny any compromise, the evidence presented by security researchers and affected customers raises serious questions about the security of one of the world's largest cloud providers.

As the situation continues to unfold, it's crucial for organizations to remain vigilant, prioritize cybersecurity best practices, and maintain open lines of communication with their cloud service providers. The incident also underscores the importance of regular security audits, prompt patching, and the need for transparency in the face of potential breaches.

The CPX Threat Intelligence team will continue to investigate as more details emerge, as this incident is likely to have far-reaching implications for cloud security practices and regulations in the years to come.

Sources:

[1] Oracle Cloud Breach Exploiting CVE-2021-35587 - Orca Security https://orca.security/resources/blog/oracle-cloud-breach-exploiting-cve-2021-35587/

[2] Oracle customers confirm data stolen in alleged cloud breach is valid https://www.bleepingcomputer.com/news/security/oracle-customers-confirm-data-stolen-in-alleged-cloud-breach-is-valid/

[3] 6M Records Exfiltrated from Oracle Cloud affecting over 140k Tenants https://www.cloudsek.com/blog/the-biggest-supply-chain-hack-of-2025-6m-records-for-sale-exfiltrated-from-oracle-cloud-affecting-over-140k-tenants