Despite Oracle’s public denial of a data breach involving its Cloud services, mounting evidence suggests that the company’s federated Single Sign-On (SSO) systems may have been compromised. Reports from BleepingComputer indicate that the threat actor “rose87168” claims to have accessed Oracle Cloud’s login infrastructure and is selling data of approximately six million users, including encrypted passwords and user details.
Threat Actor Shares Alleged Breach Data
The situation first emerged when “rose87168” posted on a hacking forum, claiming to have stolen authentication data from Oracle’s systems. The hacker shared multiple text files containing LDAP records, encrypted passwords, and a list of over 140,000 domains connected to impacted organizations. These include both companies and government agencies.
Adding to the suspicions, the threat actor also shared a direct link to a file hosted on Oracle’s own “login.us2.oraclecloud.com” domain. This file reportedly contained the hacker’s contact email, implying the ability to write files to Oracle’s servers.
Oracle Denies Breach Despite Data Validity
Oracle has strongly denied any breach of its Cloud services, issuing a statement that reads, “There has been no breach of Oracle Cloud. The published credentials are not for the Oracle Cloud. No Oracle Cloud customers experienced a breach or lost any data.”
However, this response is at odds with findings from multiple organizations named in the leaked data. Representatives from these companies, who requested anonymity, confirmed that the user information, including LDAP display names and email addresses, was accurate and tied to their personnel.
Exploitation of Known Vulnerability?
Cybersecurity firm Cloudsek uncovered that the Oracle server in question was running Fusion Middleware 11g as recently as mid-February 2025. This version is vulnerable to CVE-2021-35587, a flaw in Oracle Access Manager that could allow unauthenticated access to sensitive systems. The threat actor claimed that this vulnerability was used to breach Oracle’s infrastructure.
READ MORE: Gold Prices Soar to Record Highs in Pakistan and Global Markets
Following the incident, Oracle took the affected login server offline, but the company has yet to acknowledge whether this action was related to the potential breach.
Email Exchanges Raise More Questions
In addition to the leaked data, BleepingComputer reviewed email exchanges between the threat actor and Oracle’s security team. In one message, the hacker claimed to have gained access to data on six million users. Another message, allegedly from a ProtonMail address associated with Oracle, suggested that the conversation continue via private email. This raises concerns about Oracle’s internal communication practices during security incidents.
Doubts About Oracle’s Position
Although Oracle maintains that its Cloud systems have not been compromised, the combination of verified leaked data, exploitable software vulnerabilities, and unacknowledged server access casts doubt on the company’s stance.
