Cyber

Oracle Denies Allegations of Data Breach Following Hacker’s Claim of Stealing 6 Million Records

Hacker “rose87168” claims responsibility for the largest supply chain cyberattack of 2025, allegedly stealing 6 million records from Oracle Cloud in the US2 and EM2 regions. The breach reportedly exposed SSO and LDAP credentials, impacting over 140,000 Oracle Cloud tenants. However, Oracle has strongly denied the allegations.

Matthew Giannelis
Matthew Giannelis

Hacker “rose87168” aledges orchestrating what’s being called the biggest supply chain cyberattack of 2025, allegedly stealing 6 million records from Oracle Cloud.

Contents

According to the hacker, the breach exposed Single Sign-On (SSO) and Lightweight Directory Access Protocol (LDAP) credentials, potentially impacting over 140,000 Oracle Cloud tenants.

Oracle, however, isn’t having it. In a statement to BleepingComputer, the company flat-out denied the allegations, stating, “There has been no breach of Oracle Cloud. The published credentials are not for the Oracle Cloud. No Oracle Cloud customers experienced a breach or lost any data.”

Despite Oracle’s firm denial, cybersecurity firm CloudSEK is raising eyebrows, pointing out that a dataset containing Java KeyStore (JKS) files, encrypted SSO passwords, and Enterprise Manager JPS keys is being peddled on dark web forums.

If authentic, this could be a major security headache for businesses relying on Oracle Cloud.

Cybersecurity experts are split on the matter. Some insist the claims need independent verification before sounding the alarm, while others are urging caution and recommending Oracle Cloud customers take proactive steps, including:

  • Keeping a close eye on access logs for any unusual activity
  • Resetting passwords and rotating encryption keys
  • Enabling multi-factor authentication (MFA) as a precaution

Alleged Oracle Data BreachSSO Data For Sale

Hacker “rose87168” is now offering the purportedly stolen Oracle Cloud SSO data for sale on BreachForums. The data is available for an undisclosed price or in exchange for zero-day exploits.

While Oracle maintains there’s no breach, the situation highlights the ongoing threat of supply chain attacks and the importance of staying vigilant when it comes to cloud security.

Selling allegedly stolen Oracle Cloud data (BleepingComputer)

Apparently the data (including encrypted SSO passwords, Java Keystore (JKS) files, key files, and enterprise manager JPS keys) was stolen after hacking into ‘login.(region-name).oraclecloud. com’ Oracle servers.

Rose87168 says the SSO passwords are encrypted, they can be decrypted with the available files. also LDAP hashed password can be cracked.

“I’ll list the domains of all the companies in this leak. Companies can pay a specific amount to remove their employees’ information from the list before it’s sold.” he said.

The hacker also offered portions of the stolen data to anyone who can help decrypt the SSO passwords or crack the LDAP credentials.

Speaking to BleepingComputer, the threat actor claimed they had access to Oracle Cloud servers for around 40 days before reaching out to the company.

They allege that after exfiltrating data from the US2 and EM2 cloud regions, they emailed Oracle, demanding 100,000 XMR in exchange for details on how the breach occurred. However, according to rose87168, Oracle refused to pay after requesting “all information needed for a fix and patch.”

When asked how they infiltrated Oracle Cloud, the hacker claimed that all of its servers run a vulnerable version of software tied to a publicly known CVE.

While they stated that no public proof-of-concept (PoC) or exploit currently exists for this flaw, BleepingComputer has not been able to independently verify these claims.

Jake Williams, a faculty member at IANS Research and VP of R&D at Hunter Strategy, said even with Oracle’s denials, he has “little doubt” that a compromise of Oracle’s environment took place.

“There is direct evidence that a threat actor was able to upload data to the web root of a login server that was being actively used, so it can’t just be a ‘legacy endpoint’ as some have suggested,” Williams said via email.

Hack Appears To Be Legitimate, Despite Oracle Denials

Security researchers have come forward and said that the recent post on a hacking forum claiming a massive breach of Oracle Cloud appears legitimate.

The list of over 140,000 organisations affected by the alleged breach reveals that several Australian companies, such as Optus, Woolworths, and Nine Entertainment, have been impacted.

Additionally, government agencies, including the Australian Taxation Office and the Defence Department, are among those compromised.

“The published credentials are not for the Oracle Cloud. No Oracle Cloud customers experienced a breach or lost any data.” an Oracle spokesperson said.

However, researchers at cyber security firm CloudSEK believe otherwise. They say the hacker’s claims are entirely correct.

By combining CloudSEK’s Nexus platform with human intelligence, the company verified that one of the login endpoints claimed by the hacker – login.us2.oraclecloud.com – is a legitimate production SSO environment.

Additionally, the domains listed by the hacker were found to match those in Oracle partner guides and public GitHub repositories.

Rahul Sasi, CEO and Co-founder of CloudSEK says the organisation driven by transparency and evidence, not speculation.

“This follow-up report equips the community and Oracle with facts to investigate and mitigate this threat responsibly.” says Sasi,

CloudSEK warns that the breach could have several long-term consequences, such as continued risks of cyber espionage, unauthorized access to Oracle customers, extortion, and supply chain disruptions.

The hacker has been updating their original post with details of CloudSEK’s investigations, adding additional sample datasets, and initially offered companies the opportunity to pay for the removal of their data.

“I’ll list the domains of all the companies in this leak. Companies can pay a specific amount to remove their employees’ information from the list before it’s sold,” the hacker – using the handle rose87168 – said.

The hacker also claimed to have been in contact with Oracle previously and that the company had their contact information.

“Oracle can send me a message through the company’s official email to My Email with 72H (we talk before ),” the hacker said.

Following the latest threat, potentially affected organisations rushed to update their Oracle credentials, despite Oracle denying that any breach had taken place.

ByMatthew Giannelis
Follow:
Secondary editor and executive officer at Tech Business News. An IT support engineer for 20 years he's also an advocate for cyber security and anti-spam laws.
Previous Article HPE Unveils Revolutionary AI Data Layer in Expanded Partnership with NVIDIA at GTC 2025
Next Article Exporting 80% Australia’s gas has led to higher prices for Australian households and businesses. Australia’s Gas Leads To Higher Prices For Households And Businesses.
Leave a Comment

Leave a Reply

Oracle Denied Data Breach After Hacker Claims Theft of 6 Million Records

Tech Articles

The Growing Crisis of Space junk and Debris

Space Junk Is Becoming One of the Biggest Threats to Modern Spaceflight

More than 33,000 tracked objects now orbit Earth at speeds…

Sean Yu, VP of Commercial APAC at EBANX.

The Consumers Driving Global E-Commerce Growth Are Closer to Australia Than Many Businesses Think

The consumers driving global e-commerce growth are closer to Australia…

The Decay of guest blogging posts

The Decay of Guest Blogging. It Got Cheap, Automated, and Spammy.

Guest blogging once helped publishers showcase real expertise and build…

Recent News