A war of words has erupted between Oracle and cybersecurity researchers following claims the company suffered a security breach.
In mid-March, a threat actor by the name ‘rose87168’ published six million records, claiming the data was stolen from Oracle’s Cloud federated Single Sign-On (SSO) login service and demanding payment from affected customers.
Posted to the dark web, the sample database allegedly included a list of affected companies, encrypted SSO passwords, Java KeyStore (JKS) files, LDAP information, and more.
“The SSO passwords are encrypted, they can be decrypted with the available files, also LDAP hashed passwords can be cracked,” the threat actor said.
"I'll list the domains of all the companies in this leak. Companies can pay a specific amount to remove their employees' information from the list before it's sold."
Initial analysis from researchers at CloudSEK suggested the root cause of the breach appears to have been a failure to patch a server affected by a critical vulnerability.
“The threat actor has demonstrated sophisticated capabilities by targeting a critical authentication infrastructure,” CloudSEK said in its report. “They’re not only selling the data but also actively recruiting assistance to decrypt the stolen passwords, suggesting an organized and persistent threat operation.”
Oracle hits back at data breach claims
Oracle strongly denied the claims by both the threat actor and CloudSEK, insisting no customers have been impacted.
“There has been no breach of Oracle Cloud,” a spokesperson for the firm told BleepingComputer. “The published credentials are not for Oracle Cloud. No Oracle Cloud customer experienced a breach or lost any data.”
Researchers at CloudSEK have hit back, however, publishing a follow-up report which claims their investigation “paints a different picture”.
CloudSEK said the threat actor provided a sample of customer data and a text file created on login.us2.oraclecloud.com – which researchers said equates to “evidence aligning with their claim that the SSO server was active weeks before the breach surfaced”.
In a comprehensive rebuttal to Oracle’s claims, CloudSEK said its investigation centers around a series of key findings.
This includes the fact that an archived GitHub repository from Oracle’s official “oracle-quickstart” account features a script (mpapihelper.py) using login.us2.oraclecloud.com for OAuth2 token generation.
“This endpoint authenticated API requests for the Oracle Cloud Marketplace, proving its production use,” researchers said. “OneLogin and Rainfocus documentation further validate its role in live SSO setups.”
Similarly, the security firm pointed to what it described as “real users’ exposure” as a sign the claims are legitimate. A host of domains found in public GitHub repositories and Oracle partner guides allegedly match the attacker’s leaked tenant list, CloudSEK noted.
“These are not dummy accounts but Oracle Cloud users, underscoring the breach’s scope.”
Rahul Sasi, CEO and co-founder of CloudSEK, said the firm is “driven by transparency and evidence, not speculation” in response to Oracle’s denial.
“This follow-up report equips the community and Oracle with facts to investigate and mitigate this threat responsibly.”
The potential impact of the Oracle breach
CloudSEK said the alleged breach could have profound implications for Oracle and its customers.
The company said six million records, including sensitive authentication data, could be at risk, thereby resulting in “heightened risks of authorized access and espionage”.
The risk posed by encrypted SSO and LDAP passwords could also “unlock further breaches if cracked,” CloudSEK warned.
Similarly, the supply chain fallout of the incident as a result of exposed JKS files is a serious cause for concern, enabling downstream attacks on interconnected systems.
“A suspected unpatched vulnerability suggests deeper security flaws,” CloudSEK added.
MORE FROM ITPRO
