Home Innovation Security Oracle Cloud Breach Confirmed,...

Oracle Cloud Breach Confirmed, Hacker Threatens to Sell Data

Security

Business Honor
01 April, 2025

Security researchers confirm Oracle Cloud breach, with hacker threatening to sell stolen data.

Security researchers have validated a data breach at Oracle Cloud, with threat actor Rose87168 claiming credit and threatening to publish or sell the stolen data. According to security analysts, the breach has impacted more than 140,000 Oracle Cloud tenants, with the hacker purportedly gaining access to over 6 million data records.

The hacker issued a threat on Sunday stating that Oracle is not complying with the demands and that if the company keeps declining to interact, the stolen data will be disclosed or sold. This assertion has caused alarm among cybersecurity experts, with mounting evidence confirming the hacker's accusations of a breach.

CloudSEK research showed that the breach was likely due to the exploitation of a zero-day vulnerability in Oracle's system, more precisely in the OAuth2 authentication protocol. The vulnerability, which has been rated as CVE-2021-35587, exists in the Oracle Access Manager product of the Oracle Fusion Middleware. It has a CVSS rating of 9.8, indicating its severity. The vulnerability allows unauthenticated attackers to hijack the system through HTTP, leading to potential unauthorized access of sensitive data.

The pilfered data, as reported, includes single sign-on credentials, Lightweight Directory Access Protocol (LDAP) passwords, OAuth2 keys, and tenant information. Trustwave SpiderLabs also revealed that the hacker has threatened to sell the stolen data, providing options for purchase by company name, hashed credentials, and other identifying characteristics.

While Oracle initially refused to accept the breach, they have subsequently remained tight-lipped about it, refusing comment or even the affirmation of the breach. However, security researchers were able to detect evidence affirming the reports, with the breach being true.

The incident indicates heightened risks of vulnerabilities in cloud platforms and the need for top-level cybersecurity protocols to protect sensitive data from theft and exploitation.