Six Million Records Potentially Compromised in Oracle Cloud Breach

Security researchers recently identified a threat actor selling authentication records exfiltrated from Oracle Cloud, suggesting a breach of Oracle Cloud’s Single Sign-On (SSO) and Lightweight Directory Access Protocol (LDAP) systems. These records include highly sensitive information that poses a security risk to impacted firms, like encrypted SSO passwords, security certificates, and encryption key files.

While Oracle has denied the breach, claiming the sample credentials published by the attacker “are not for the Oracle Cloud,” further investigation by CloudSEK and other independent researchers validated the breach—matching existing client records to a sample of the exfiltrated data that included information from 1,500+ unique organizations.

Since publishing the sample, the attacker, identified as “rose87168”, has directed organizations to make ransom payments for the removal of their data.

Security risk details

The threat actor most likely utilized a known vulnerability (CVE-2021-35587) to access one of Oracle Cloud’s login endpoints. The vulnerability, originally reported in December 2022, allows unauthenticated attackers to compromise Oracle Access Manager instances. Although the vulnerability was reported over two years ago, CloudSEK’s investigation revealed that the endpoint exploited by the attacker had not been updated since 2014, and was in active use as recently as February 17, 2025.

Potential impact

The threat actor gained access to organizations’ production environments and exfiltrated data from over 140,000 tenants. The exfiltrated data mostly consists of credential information, including different types of credential repository keys and key files (such as Java KeyStore files) and encrypted passwords (including SSO and LDAP passwords). The threat actor was also able to exfiltrate personal emails associated with SSO credentials.

Further compromise of Oracle Cloud environments is likely if the encrypted passwords accessed by the threat actor are successfully decrypted. Exposure of JKS and key files also presents risks to the supply chain, as they may allow attackers to compromise multiple connected systems.

Mitigation and remediation

We recommend quick action to minimize the impact of the breach:

• Passwords and credentials for all compromised LDAP user accounts should be reset, leveraging strong password policies and MFA authentication.
• SSO/SAML/OIDC secrets or certificates should be regenerated or replaced.
• Investigations should be conducted to identify suspicious authentication attempts.
• Organizations should communicate with third-party vendors to determine if they have been impacted and if mitigation/remediation measures have been taken.
• Review patch management policies and procedures to ensure workflows are in place for efficient patching of known vulnerabilities.
• Organizations should review existing incident response and business continuity plans to ensure an efficient response if they are impacted by this breach.
• Organizations should engage in threat intelligence monitoring to track mentions of leaked data in association with the breach.

How we help

ACA Aponix^® helps firms strengthen their cybersecurity programs to mitigate risks from breaches and vulnerabilities. Our services include:

• Aponix Protect^TM is a comprehensive solution that helps you implement a robust patch management process, ensuring vulnerabilities are identified and remediated before they can be exploited. This service helps firms maintain secure backup environments and reduce exposure to cyber threats.
• Our Vendor Due Diligence and Third-Party Risk Management services help firms identify and manage risks posed by vendors. By leveraging thorough assessments and ongoing monitoring, these services pinpoint vendors that could expose sensitive data or systems, enabling proactive risk mitigation.
• ACA Vantage for Cyber provides targeted cyber health insights for portfolio companies, focusing on areas like patch management and vulnerability remediation. Combining expert advisory, ComplianceAlpha^® technology, and RealRisk assessments, it helps pinpoint where additional support is needed to strengthen defences and maintain operational resilience.

Reach out to your ACA consultant, or contact us to find out how we can help secure your firm against cyber threats and comply with regulatory expectations.

Contact us