In what may become one of the most scrutinized cloud security incidents of 2025, Oracle has come under fire following claims by a threat actor alleging the exfiltration of more than six million records from Oracle Cloud Infrastructure (OCI), impacting more than 140,000 tenants.
Despite Oracle's denial of any breach, cybersecurity experts and researchers from CloudSEK and other firms have raised serious concerns, pointing to potential vulnerabilities in Oracle's authentication systems and the broader implications for cloud-based supply chains.
A hacker's claim, and denial from Oracle
The story surfaced in early March when a hacker using the alias "rose87168" posted on a cybercrime forum, claiming responsibility for a massive data breach at Oracle. The attacker alleges that data was exfiltrated from Oracle Cloud's login infrastructure, specifically from the endpoint login.us2.oraclecloud.com. The leaked data includes Java KeyStore (JKS) files, encrypted SSO passwords, enterprise manager JPS keys, and key files—suggesting the compromise of credentials and authentication artifacts.
Oracle responded swiftly, stating: "There has been no breach of Oracle Cloud. The published credentials are not for the Oracle Cloud. No Oracle Cloud customers experienced a breach or lost any data."
However, independent analysis by CloudSEK and other security researchers challenges that assertion.
CloudSEK investigates: a supply chain alarm bell
CloudSEK, a cybersecurity firm based in India, released a detailed analysis outlining technical evidence that supports the hacker's claims. According to their investigation: "The hacker exploited a vulnerability in the login infrastructure of Oracle Cloud (login.us2.oraclecloud.com), leading to the exfiltration of data that belongs to a wide range of Oracle customers."
CloudSEK also identified the likely exploit vector as CVE-2021-35587, a known critical vulnerability in Oracle Access Manager. Their researchers were able to verify that many of the domains included in the leaked data belonged to legitimate Oracle Cloud customers, lending credibility to the attacker's claims.
Further compounding concerns, the alleged compromised data included artifacts typically used in federated identity configurations, suggesting the potential for lateral movement and privilege escalation in affected environments.
"The presence of keys, encrypted passwords, and SSO configurations indicates a high risk of broader compromise if these credentials are reused or misconfigured," CloudSEK noted in its findings.
Expert reactions: transparency, trust, and zero trust
Industry experts are urging Oracle to provide greater transparency and clarity in the wake of these allegations.
Chad Cragle, CISO at Deepwatch, posed a key question: "If there was no breach, how did a threat actor allegedly upload a file to the Oracle Cloud subdomain? This indicates unauthorized access, even if it wasn't a full-scale compromise."
Patrick Tiquet, VP of Security & Architecture at Keeper Security, emphasized the importance of basic cyber hygiene, saying: "This underscores the critical need for timely patching and proactive security measures. Organizations must stay up to date with resources like CISA's Known Exposed Vulnerabilities catalog and NIST's Cybersecurity Framework."
Rom Carmel, CEO of Apono, highlighted the implications of improper access control: "This incident raises important questions about whether access to the server containing such sensitive resources was properly restricted—not just who had access, but also when that access was permitted."
Heath Renfrow, CISO and Co-founder at Fenix24, pointed to a common blind spot: "The exploitation of legacy systems and unpatched vulnerabilities... is consistent with how threat actors gain initial access and move laterally within cloud environments."
What's next: advice for cloud customers
While Oracle continues to deny that a breach occurred, security professionals recommend that organizations using Oracle Cloud services take precautionary measures, including:
-
Assess federated identity and SSO configurations for misconfigurations or abuse.
-
Rotate all credentials and keys potentially associated with Oracle Cloud environments.
-
Monitor for indicators of compromise (IOCs) tied to the reported artifacts.
-
Review patching status for all middleware components, especially Oracle Access Manager.
This incident, whether fully verified or not, highlights the fragility and interconnectedness of modern cloud infrastructure—and the urgent need for layered, zero-trust security models.
As CloudSEK concluded in its report: "Even if Oracle's core infrastructure remains uncompromised, the presence of sensitive credentials from numerous tenants points to a serious supply chain issue with far-reaching consequences."
The security community will be watching closely as this story develops, pressing for answers and pushing for more resilient defenses in the ever-expanding cloud ecosystem.
Follow SecureWorld News for more stories related to cybersecurity.
