A reported cyberattack targeting Oracle Cloud has raised concerns about potential data exposure across a wide range of organisations.
On March 21, cybersecurity firm CloudSEK said that 6 million records had been compromised, with over 140,000 Oracle Cloud tenants possibly affected.
CloudSEK attributed the incident to a threat actor identified as “rose87168,” who allegedly obtained the data through Oracle’s Single Sign-On (SSO) and Lightweight Directory Access Protocol (LDAP) systems. The attacker has listed the records for sale online and is reportedly demanding payment from affected companies for data removal.
Alleged scope and method of attack
According to CloudSEK’s findings, the attacker used an undisclosed vulnerability in Oracle WebLogic Server to gain access to login endpoints across regions associated with Oracle Cloud. The exposed data is said to include Java KeyStore (JKS) files, encrypted passwords for SSO and LDAP systems, key files, and Enterprise Manager JPS keys.
The compromised endpoint is believed to be “login.(region-name).oraclecloud.com.” The attacker has also created a profile on X (formerly Twitter), appearing to follow accounts associated with Oracle and affected businesses, possibly in an effort to pressure victims.
CloudSEK has rated the threat as “High” due to its reported scale and the sensitivity of the data involved.
CloudSEK’s response and recommendations
The cybersecurity firm has recommended that organisations using Oracle Cloud take quick actions, such as resetting credentials, launching forensic investigations, monitoring for leaked data on the dark web, and applying stricter access controls.
CloudSEK further warned that if the encrypted credentials are successfully deciphered, there could be far-reaching consequences, like unauthorised access, potential data leaks, and risks to connected systems across supply chains.
Oracle disputes claims of breach
Oracle has denied that its cloud systems were compromised. In a statement to The Register, a company spokesperson said, “There has been no breach of Oracle Cloud. The published credentials are not for the Oracle Cloud. No Oracle Cloud customers experienced a breach or lost any data.”
The company’s response followed online activity by the threat actor, who posted samples of what was claimed to be stolen Oracle Cloud data on cybercrime forums, including screenshots and a text file uploaded to one of Oracle’s login servers. The file contained an email address associated with the seller and was captured by the Internet Archive’s Wayback Machine.
While Oracle has not commented further, investigations by third parties, including Bleeping Computer, noted that one of the affected servers was reportedly running an older version of Oracle Fusion Middleware as recently as February 2025. Security researchers have speculated that an unpatched critical vulnerability—CVE-2021-35587—may have been involved, although this has not been confirmed.
Ongoing uncertainty around claims
The attacker, who appears to have no known history prior to this incident, has also offered the alleged data in exchange for zero-day exploits or cryptocurrency. In forum posts, they claimed to have contacted Oracle about a month earlier with a request for over $200 million in cryptocurrency in return for details of the breach.
They also sought assistance in decrypting the SSO and LDAP credentials, suggesting that the information, while encrypted, might be usable with the right tools or collaboration.
In addition to the data, the attacker shared a list of domain names linked with the affected companies. They reportedly offered to remove employee information from specific organisations in exchange for payment.
What’s known and what’s not
At this stage, the full scope and authenticity of the data exposure remain under scrutiny. Oracle maintains that its systems were not breached, while CloudSEK continues to warn of serious risks tied to the data being circulated. Whether this incident reflects a verified intrusion or an overstated claim is still being evaluated by the wider cybersecurity community.
See also: Oracle’s $5bn UK cloud investment
Want to learn more about cybersecurity and the cloud from industry leaders? Check out Cyber Security & Cloud Expo taking place in Amsterdam, California, and London.
Explore other upcoming enterprise technology events and webinars powered by TechForge here.
