A war of words has erupted between Oracle and cybersecurity researchers following claims the company suffered a security breach.
In mid-March, a threat actor by the name ‘rose87168’ published six million records, claiming the data was stolen from Oracle’s Cloud federated Single Sign-On (SSO) login service and demanding payment from affected customers.
Posted to the dark web, the sample database allegedly included a list of affected companies, encrypted SSO passwords, Java KeyStore (JKS) files, LDAP information, and more.
“The SSO passwords are encrypted, they can be decrypted with the available files, also LDAP hashed passwords can be cracked,” the threat actor said.
"I'll list the domains of all the companies in this leak. Companies can pay a specific amount to remove their employees' information from the list before it's sold."
Initial analysis from researchers at CloudSEK suggested the root cause of the breach appears to have been a failure to patch a server affected by a critical vulnerability.
“The threat actor has demonstrated sophisticated capabilities by targeting a critical authentication infrastructure,” CloudSEK said in its report. “They’re not only selling the data but also actively recruiting assistance to decrypt the stolen passwords, suggesting an organized and persistent threat operation.”
Oracle hits back at data breach claims
Oracle strongly denied the claims by both the threat actor and CloudSEK, insisting no customers have been impacted.
“There has been no breach of Oracle Cloud,” a spokesperson for the firm told BleepingComputer. “The published credentials are not for Oracle Cloud. No Oracle Cloud customer experienced a breach or lost any data.”
Researchers at CloudSEK have hit back, however, publishing a follow-up report which claims their investigation “paints a different picture”.
CloudSEK said the threat actor provided a sample of customer data and a text file created on login.us2.oraclecloud.com – which researchers said equates to “evidence aligning with their claim that the SSO server was active weeks before the breach surfaced”.
In a comprehensive rebuttal to Oracle’s claims, CloudSEK said its investigation centers around a series of key findings.
This includes the fact that an archived GitHub repository from Oracle’s official “oracle-quickstart” account features a script (mpapihelper.py) using login.us2.oraclecloud.com for OAuth2 token generation.
“This endpoint authenticated API requests for the Oracle Cloud Marketplace, proving its production use,” researchers said. “OneLogin and Rainfocus documentation further validate its role in live SSO setups.”
Similarly, the security firm pointed to what it described as “real users’ exposure” as a sign the claims are legitimate. A host of domains found in public GitHub repositories and Oracle partner guides allegedly match the attacker’s leaked tenant list, CloudSEK noted.
“These are not dummy accounts but Oracle Cloud users, underscoring the breach’s scope.”
Rahul Sasi, CEO and co-founder of CloudSEK, said the firm is “driven by transparency and evidence, not speculation” in response to Oracle’s denial.
“This follow-up report equips the community and Oracle with facts to investigate and mitigate this threat responsibly.”
The potential impact of the Oracle breach
CloudSEK said the alleged breach could have profound implications for Oracle and its customers.
The company said six million records, including sensitive authentication data, could be at risk, thereby resulting in “heightened risks of authorized access and espionage”.
The risk posed by encrypted SSO and LDAP passwords could also “unlock further breaches if cracked,” CloudSEK warned.
Similarly, the supply chain fallout of the incident as a result of exposed JKS files is a serious cause for concern, enabling downstream attacks on interconnected systems.
“A suspected unpatched vulnerability suggests deeper security flaws,” CloudSEK added.
MORE FROM ITPRO
- Say goodbye to walled gardens, Oracle is doubling down on multi-cloud
- Why Oracle thinks its agents service is the gold standard
- Take a look at the best cloud computing services for business
-
Cleo attack victim list grows as Hertz confirms customer data stolenNews Hertz has confirmed it suffered a data breach as a result of the Cleo zero-day vulnerability in late 2024, with the car rental giant warning that customer data was stolen.
-
Lateral moves in tech: Why leaders should support employee mobilityIn-depth Encouraging staff to switch roles can have long-term benefits for skills in the tech sector
-
“By this time next year, Oracle employees won't be using passwords” — Larry Ellison wants a biometric future in cybersecurityNews The Oracle CTO hit out at passwords, calling them insecure and easy to steal
-
NetSuite vulnerability could leave thousands of websites exposedNews The issue stems from a misconfiguration of access controls in NetSuite's SuiteCommerce instances
-
Oracle's massive advertising database operates without user consent, lawsuit claimsNews Rights organisers have accused Oracle of collecting an undue level of sensitive data to identify consumers online
-
Oracle joins Cloudflare's Bandwidth AllianceNews Database giant will adjust cloud transfer fees for Cloudflare customers
-
Oracle won't let you turn off security ever againNews Larry Ellison: It was a mistake to let customers manage security features
-
Two more zero-day Java bugs discoveredNews Polish researchers find more flaws in Java 7 browser plug-in.
-
Microsoft warns users to be wary of fake Java updatesNews Cybercriminals set malware trap for users worried by Java zero-day exploits.
-
Calls for Java overhaul grow as more security flaws emergeNews Security experts suggest problems in the development cycle of Java could be to blame for recent security woes.
