Despite Oracle’s public denial of a data breach involving its Cloud services, mounting evidence suggests that the company’s federated Single Sign-On (SSO) systems may have been compromised. As reported by BleepingComputer, threat actor “rose87168” claims to have accessed Oracle Cloud’s login infrastructure and is selling the data of approximately six million users, including encrypted passwords and user details.
Threat Actor Shares Alleged Breach Data
The situation first came to light when “rose87168” posted on a hacking forum, claiming to have stolen authentication data from Oracle’s systems. The individual shared multiple text files containing LDAP records, encrypted passwords, and a list of over 140,000 domains tied to impacted organizations, including both companies and government agencies.
Adding to the suspicion, the threat actor also shared a direct link to a file hosted on Oracle’s own “login.us2.oraclecloud.com” domain that contained their own contact email—implying the ability to write files to Oracle’s servers.
Oracle Denies Breach Despite Data Validity
Oracle responded to the Source with a firm denial, stating, “There has been no breach of Oracle Cloud. The published credentials are not for the Oracle Cloud. No Oracle Cloud customers experienced a breach or lost any data.”
However, this statement contrasts sharply with findings from the Source, which contacted several companies named in the leaked data. Representatives from these organizations, who remained anonymous, confirmed that the user information—including LDAP display names and email addresses—was indeed accurate and tied to their personnel.
Possible Exploitation of Known Vulnerability
Cybersecurity firm Cloudsek also uncovered that the Oracle server in question was running Fusion Middleware 11g as recently as mid-February 2025. This version is vulnerable to CVE-2021-35587, a known flaw in Oracle Access Manager that can allow unauthenticated access to sensitive systems. The threat actor claimed that this specific vulnerability was used to breach Oracle’s infrastructure.
After the incident began making headlines, Oracle took the login server offline, but it has yet to acknowledge whether this was related to the potential breach.
Email Exchanges Raise More Questions
In addition to the leaked data, BleepingComputer reviewed emails purportedly sent between the threat actor and Oracle’s security team. In one message, the hacker claimed to have gained access to data on six million users. Another message, allegedly from a ProtonMail address affiliated with Oracle, suggested continuing the conversation via private email—raising concerns about internal communication practices during security incidents.
While Oracle maintains that its cloud systems remain uncompromised, the combination of verified data samples, exploitable software versions, and unacknowledged server access casts doubt on the company’s position.
Stay Connected with ProPakistani
Get the latest tech news, telecom insights, and product launches wherever you prefer.
Add ProPakistani to Preferred Sources and see more of our stories in Google Search and Top Stories.
