The National Computer Emergency Response Team (NCERT) has issued an advisory warning organizations about an alleged data breach on Oracle Cloud.
A cybercriminal operating under the alias “rose87168” has reportedly leaked sensitive information, including a sample database, LDAP authentication details, and a list of affected companies, on dark web forums, the advisory noted.
The hacker claims to have accessed Oracle Cloud servers 40 days ago and is now selling the stolen data, which allegedly includes over six million records containing federated Single Sign-On (SSO) login credentials of Oracle Cloud customers.
According to the advisory, the breach is believed to have exploited vulnerabilities in SSO authentication and LDAP misconfigurations, potentially exposing enterprise environments to unauthorized access and data theft.
Stolen credentials could be used for credential stuffing attacks, allowing hackers to gain further unauthorized access to multiple platforms. If confirmed, this incident poses serious risks, including compromised cloud accounts, unauthorized data modifications, and possible deployment of malicious payloads, such as ransomware. Organizations relying on Oracle Cloud services must take immediate steps to mitigate these threats.
Among the most concerning impacts of the alleged breach is the risk of data exfiltration, where sensitive corporate and customer data may be copied and sold on illicit platforms. Threat actors could also exploit leaked credentials to manipulate cloud configurations, inject malware, and disrupt business operations.
Reports suggest that encrypted SSO passwords may be susceptible to brute-force decryption, further heightening security concerns. Additionally, phishing attempts targeting users of affected organizations have been detected, leveraging compromised credentials to expand access to corporate networks.
According to National CERT, while Oracle has denied any breach, organizations must proactively enforce security measures to prevent potential exploitation.
Companies using Oracle Cloud, particularly those employing SSO authentication and federated login mechanisms, should assume possible exposure and take preventive actions. The advisory recommends resetting all SSO account credentials, enabling Multi-Factor Authentication (MFA), and monitoring authentication logs for suspicious activity. Organizations are also urged to review identity management configurations and apply necessary security patches.
To strengthen security, organizations should conduct internal security audits, restrict access to critical cloud resources, and implement real-time threat detection mechanisms. Experts recommend deploying advanced endpoint protection solutions and enforcing strict access control policies based on user roles and necessity. Additionally, businesses should educate employees on recognizing phishing attempts and suspicious login activities to prevent further exploitation.
NCERT has called for an immediate security assessment by all Oracle Cloud users, emphasizing the need for proactive monitoring and rapid incident response. The advisory highlights the importance of forensic investigations, credential revocations, and enhanced security configurations to mitigate risks associated with the alleged breach. Organizations are urged to act swiftly to protect sensitive data and prevent further cybersecurity threats.
