Skip to main content
close search
site logo
Dive Brief

Threat actor in Oracle Cloud breach may have gained access to production environments

Researchers from CloudSEK are analyzing a data sample from a threat actor that claimed a massive breach involving 6 million records.

Published March 27, 2025
David Jones's headshot
Reporter
Oracle's Silicon Valley corporate headquarters in Redwood, California pictured on September 9, 2019.
Oracle's Silicon Valley corporate headquarters in Redwood, California, pictured on Sept. 9, 2019. The technology company activated its first Oracle Database@AWS integration Monday. Sundry Photography via Getty Images

Dive Brief:

  • Security researchers are analyzing a 10,000-line dataset provided by a hacker who claimed to have breached Oracle Cloud. The threat actor claimed to have 6 million Oracle Cloud records, which may have impacted more than 140,000 tenants.
  • The sample being analyzed has information on about 1,500 organizations, which, if confirmed, would underscore the breadth of the exfiltrated data, according to researchers at CloudSEK. 
  • There is evidence that indicates the hacker gained access to production environments based on the formatting of tenant IDs, according to researchers.

Dive Insight:

Oracle previously denied the claims of a breach, and it has not responded to numerous requests for comment by Cybersecurity Dive. 

As previously reported, a hacker identified as rose87168 claimed credit for the incident, which they said was done by exploiting a vulnerability in Oracle Cloud’s login endpoint. 

The alleged breach involved CVE-2021-35587, a vulnerability in the Oracle Access Manager product of Oracle Fusion Middleware. The vulnerability, with a CVSS score of 9.8, allows an unauthenticated attacker with network access via HTTP to compromise Oracle Access Manager. 

CloudSek plans to release additional findings on the threat actor sample, but it said existing evidence points to the sample being authentic and without any test or dummy data. 

Researchers said the dataset contains numerous individual email addresses, which point to organizations allowing or using SSO-based authentication.

Filed Under: Vulnerability, Threats

Editors' picks

Company Announcements

View all | Post a press release
360 Privacy Secures $36 Million Growth Investment from FTV Capital
From 360 Privacy
March 11, 2025
Operant Networks Launches Embedded Zero Trust Security Software for PLCs
From Operant Networks
March 19, 2025
Fathom5’s ARIA Continues Revolutionizing Cyber-Resilient Machinery Control Systems
From Fathom5
March 19, 2025
Monro Data Breach Investigation
From Migliaccio & Rathod LLP
March 26, 2025
Editors' picks
Latest in Vulnerability
Industry Dive is an Informa TechTarget business.
© 2025 TechTarget, Inc. or its subsidiaries. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell
This website is owned and operated by Informa TechTarget, part of a global network that informs, influences and connects the world's technology buyers and sellers. All copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. TechTarget, Inc.'s registered office is 275 Grove St. Newton, MA 02466.