CloudSEK discovers unverified source of Oracle Cloud breach

CloudSEK has uncovered a major breach targeting Oracle Cloud, with six million records extracted via a suspected undisclosed vulnerability, although it is unclear whether the incident occurred because of a vulnerability at an organisation using Oracle’s cloud infrastructure.

Oracle has stated to a number of media outlets that no hacker has breached Oracle Cloud.

According to CloudSEK its digital risk platform, XVigil, discovered a threat actor, rose87168, selling the records transferred from single sign on (SSO) and lightweight directory access protocol (LDAP) of Oracle Cloud.

The data includes JKS files, encrypted SSO passwords, key files, and enterprise manager JPS keys. 

CloudSEK wrote the “attacker, active since January 2025, is incentivising decryption assistance and demanding payment for data removal from over 140K affected tenants”.

“Our engagement with the threat actor suggests a possible undisclosed vulnerability on login. (region-name). oraclecloud.com, leading to unauthorised access,” said CloudSEK. “While the threat actor has no prior history, their methods indicate high sophistication.”

CloudSEK said rose87168 database also includes “offered an incentive to anyone that helped them decrypt the SSO passwords, and/or crack the LDAP passwords”.

“The list of affected tenants is over 140k, and the threat actor is urging companies to contact them and pay a certain ‘fee’ to get their data removed.”

The threat actor hasalso created an X page and started following Oracle related pages, claimed.

Cyber security vendor, Orca Security noted the “attacker” is also “demanding payments from affected organisations to prevent further exposure”.

“Affected organisations should take immediate action to assess their security posture and implement necessary safeguards,” stated Orca Security.

Orca recommends organisations using Oracle Cloud should take the following actions, reset credentials by immediately resetting passwords, especially for privileged accounts, and enforce strong password policies with multi-factor authentication.

As well as monitoring for suspicious activity by deploying security monitoring tools to detect unauthorised access or unusual behaviour.

“This incident highlights the persistent threats facing cloud environments and the high stakes for organisations relying on cloud infrastructure,” said Orca Security. “Adopting strong security practices, including regular assessments, access controls, and proactive threat monitoring, remains essential in mitigating risks.”