Skip to main content
close search
site logo
Dive Brief

Researchers back claim of Oracle Cloud breach despite company’s denials

Security researchers from CloudSEK provided additional evidence supporting a hacker’s claim to have exfiltrated 6 million records.

Published March 25, 2025
David Jones's headshot
Reporter
Oracle's Silicon Valley corporate headquarters in Redwood City, California picture on Oct. 26, 2019.
Oracle's Silicon Valley corporate headquarters in Redwood City, California, on Oct. 26, 2019. The company has denied claims that its Oracle Cloud environment was compromised in a suspected March 2025 breach. Sundry Photography via Getty Images

Dive Brief:

  • Security researchers said they confirmed a breach of Oracle Cloud after a previously unknown threat actor posted an offer to sell more than 6 million records. The technology firm denied the original hacking claim, but CloudSEK presented supporting evidence in a follow-up report released Monday.
  • Researchers said the hacker, identified as “rose87168,” successfully exploited a vulnerability in Oracle Cloud’s login endpoint, allowing the attacker to access the records. 
  • The stolen data includes single sign-on credentials, Lightweight Director Access Protocol passwords, OAuth2 keys and tenant data, according to CloudSEK.

Dive Insight:

CloudSEK on Friday released a report claiming the hacker had exfiltrated more than 6 million records that impacted more than 140,000 tenants. 

Researchers said the hacker, who has been active since January, was offering incentives for anyone to help decrypt the SSO passwords so they could pressure companies to pay a “fee” for data removal, according to CloudSEK researchers. 

Oracle issued a statement to BleepingComputer Friday denying there was any breach. However, CloudSEK researchers released an additional report on Monday, with new evidence supporting the breach claim. 

CloudSEK said the hacker accessed login.us2.oraclecloud.com, a production SSO server that was active about 30 days before researchers discovered the breach on Friday. 

“We suspect the actor leveraged a zero-day vulnerability or misconfiguration in the OAuth2 authentication process,” a spokesperson for CloudSEK said via email.

A spokesperson for Oracle was not immediately available for comment. 

Jake Williams, a faculty member at IANS Research and VP of R&D at Hunter Strategy, said even with Oracle’s denials, he has “little doubt” that a compromise of Oracle’s environment took place.

“There is direct evidence that a threat actor was able to upload data to the web root of a login server that was being actively used, so it can’t just be a ‘legacy endpoint’ as some have suggested,” Williams said via email.

Filed Under: Breaches

Editors' picks

Company Announcements

View all | Post a press release
Monro Data Breach Investigation
From Migliaccio & Rathod LLP
March 26, 2025
Fathom5’s ARIA Continues Revolutionizing Cyber-Resilient Machinery Control Systems
From Fathom5
March 19, 2025
Operant Networks Launches Embedded Zero Trust Security Software for PLCs
From Operant Networks
March 19, 2025
360 Privacy Secures $36 Million Growth Investment from FTV Capital
From 360 Privacy
March 11, 2025
Editors' picks
Latest in Breaches
Industry Dive is an Informa TechTarget business.
© 2025 TechTarget, Inc. or its subsidiaries. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell
This website is owned and operated by Informa TechTarget, part of a global network that informs, influences and connects the world's technology buyers and sellers. All copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. TechTarget, Inc.'s registered office is 275 Grove St. Newton, MA 02466.