A supposed massive data leak in Oracle Cloud has recently been reported, potentially affecting more than 140,000 customers worldwide. According to CloudSEK, nearly 6 million confidential records may have been extracted by a threat actor identified as rose87168, who claims to have gained access by exploiting a supposed vulnerability in the login endpoint: login.(region-name).oraclecloud.com.
Among the compromised data, the attacker claims to have obtained:
- JKS files
- Encrypted SSO passwords
- Key files and JPS keys from Enterprise Manager
The information was allegedly put up for sale on dark web forums on March 21, 2025, even offering additional incentives to those who could help decrypt the SSO passwords or compromise LDAP credentials.
Oracle, however, has categorically denied these claims, officially confirming that no breach has occurred and that the published data does not belong to Oracle Cloud, as Oracle informed BleepingComputer.
It is worth noting that in the forums where the data was initially posted, some users have questioned the authenticity of the leak, suggesting it may belong to a test environment, and that the user who published the information in the forum has little reputation in the community. Various forum members are requesting additional proof to verify the authenticity of the incident.
However, a screenshot stored in the Wayback Machine on March 1, 2025, shows that the attacker may have uploaded a file containing their email address on the Oracle Cloud login server.
Additionally, it has been verified that some names and companies appearing in the sample leak provided by the attacker match real company profiles.
Despite Oracle's denial and the potential doubts about the authenticity of the incident, we recommend implementing the following preventive measures in Oracle Cloud tenants:
- 🔑 Reset passwords, especially for privileged accounts, and enforce mandatory MFA.
- 🔄 Immediate rotation of sensitive credentials (LDAP, SSO, certificates, and secrets related to SAML/OIDC).
- 🛡️ Strengthen security protocols with strict access controls, least privilege enforcement, and constant monitoring.