Introduction
In March 2025 [10], a significant cybersecurity breach involving Oracle Cloud’s federated single sign-on (SSO) servers was reported. A hacker group [2], Rose87168 [3] [4] [5] [6] [7] [8] [9] [10], claimed responsibility for the breach [5] [8], which compromised approximately 6 million user records and affected over 144,000 Oracle clients. This incident has raised serious concerns about Oracle’s data security practices and has led to substantial repercussions for the company.
Description
A hacker group known as Rose87168 has claimed responsibility for breaching Oracle Cloud’s federated single sign-on (SSO) servers, resulting in the theft of approximately 6 million user records that impact over 144,000 Oracle clients. The breach was first reported on March 22, 2025 [10], with the hacker asserting that they accessed Oracle’s cloud infrastructure in January 2025. The compromised data reportedly includes sensitive information such as encrypted SSO passwords, authentication data [3] [9], Lightweight Directory Access Protocol (LDAP) passwords [5] [6], Java KeyStore (JKS) files [10], OAuth2 keys [5] [6], and tenant data [5] [6]. To substantiate the breach [9], Rose87168 uploaded a text file containing their online handle from an Oracle Cloud server [9], and several Oracle customers have verified that the data samples shared by the hacker appear authentic [9]. The hacker has threatened to leak or sell the stolen data on the dark web and has sought assistance from the hacking community to crack hashed passwords in exchange for some of the data.
Despite Oracle’s denials regarding the breach, which included assertions that the published credentials do not belong to Oracle Cloud and that no customers have lost data [9], the hacker began leaking evidence to media outlets and security researchers [6]. This prompted cybersecurity firms, including Hudson Rock and CloudSEK [6], to verify the legitimacy of the claims. CloudSEK confirmed that the breach exploited a zero-day vulnerability (CVE-2021-35587) in Oracle Fusion Middleware’s access manager software [6], which had been flagged in 2021 but remained unaddressed until a patch was issued in 2022. This critical vulnerability has a CVSS score of 9.8 and enables unauthenticated attackers with network access to compromise Oracle Access Manager. Researchers suspect that the attacker may have also exploited an old Remote Code Execution (RCE) vulnerability and a misconfiguration in OAuth2 authentication.
Trustwave’s security advisory confirmed that the leaked dataset contained highly sensitive user information [6], likely extracted from a corporate Identity and Access Management system or HR-integrated directory [6]. This data reportedly includes personally identifiable information such as names, email addresses [6], job titles [6], and contact details [6]. Additionally, the hacker released a recording of an internal Oracle meeting [6], raising significant cybersecurity and operational risks for the affected organization [6]. On March 31, 2025 [1] [10], the hacker released further proof on Breach Forums [10], including internal LDAP records and partial credentials [10], which were verified as authentic by a forum administrator.
The breach has raised serious concerns about Oracle’s management of machine identities and secrets, suggesting that compromised machine identities and poorly managed credentials [1], such as API keys or service accounts [1], facilitated unauthorized access to sensitive data [1]. Cybersecurity expert Kevin Beaumont criticized Oracle’s response [6] [9], suggesting that the company’s terminology aimed to downplay the incident’s significance [6]. He noted that Oracle had “rebadged” legacy services as “Oracle Classic,” implying a misleading narrative regarding the breach’s relevance [6]. Beaumont emphasized the need for Oracle to communicate transparently about the situation [9], while another cybersecurity expert [9], Lisa Forte [9], expressed skepticism about Oracle’s denial [9], indicating that if the breach is confirmed [9], it would reflect poorly on the company [9]. CloudSEK corroborated that the data was accurate and current [6], countering any claims that the breach involved outdated information [6]. Beaumont and other experts expressed concern over Oracle’s lack of transparency and guidance following the incident [6], urging affected customers to follow mitigation recommendations from cybersecurity firms until Oracle provides clear guidance. The situation has created confusion among Oracle’s customers regarding the need for urgent security measures versus trusting Oracle’s assurances of no breach [4], complicating the ability of potentially vulnerable users to protect themselves [4]. The breach resulted in a loss of customer trust [1], leading to substantial financial liabilities [1], potential regulatory penalties [1], and significant reputational damage [1]. In response to the breach, a class action lawsuit has been filed against Oracle Corporation in Texas [10], alleging that the company failed to protect sensitive information and did not promptly notify affected individuals [10]. The connection between this breach and a subsequent theft of patient data remains unclear [8].
Conclusion
The Oracle Cloud breach has highlighted significant vulnerabilities in the company’s data security practices, leading to a loss of trust among its clients and potential legal and financial repercussions. The incident underscores the importance of timely vulnerability management and transparent communication in maintaining cybersecurity. Moving forward, Oracle must address these issues to restore confidence and prevent future breaches. Affected customers are advised to follow cybersecurity firms’ mitigation recommendations until Oracle provides clear guidance.
References
[1] https://securityboulevard.com/2025/03/lessons-from-the-oracle-and-coinbase-breaches/
[2] https://thisweekhealth.com/captivate-podcast/2-minute-drill-oracles-double-breach-trouble/
[3] https://b2bnews.co.nz/news/oracle-faces-backlash-over-cybersecurity-failures/
[4] https://www.cybersecurityintelligence.com/blog/oracle-cloud-denies-it-has-been-breached-8339.html
[5] https://www.cybersecuritydive.com/news/hacker-linked-to-oracle-cloud-intrusion-threatens-to-sell-stolen-data/743981/
[6] https://www.techspot.com/news/107362-oracle-hid-serious-data-breach-customers-now-hacker.html
[7] https://www.cm-alliance.com/cybersecurity-blog/biggest-cyber-attacks-ransomware-attacks-data-breaches-of-march-2025
[8] https://www.techzine.eu/news/security/130085/oracle-warns-customers-that-patient-data-has-been-leaked/
[9] https://techcrunch.com/2025/03/31/oracle-under-fire-for-its-handling-of-separate-security-incidents/
[10] https://hackread.com/oracle-lawsuit-over-cloud-breach-affecting-millions/
