A significant security breach has compromised Oracle Cloud’s infrastructure, exposing approximately 6 million records and placing over 140,000 businesses at risk. Cybersecurity firm CloudSEK identified the breach on March 21, 2025, attributing it to a threat actor known as “rose87168.”
The attacker is not well known in cybersecurity circles, but has demonstrated what experts are calling a “high level of technical sophistication.”
The compromised data includes sensitive authentication files such as Java KeyStore (JKS) files, encrypted Single Sign-On (SSO) passwords, key files, and Enterprise Manager Java Platform Security (JPS) keys. These elements are crucial for maintaining secure access within enterprise environments.
The attacker reportedly exploited a vulnerability in Oracle Cloud’s login interface, specifically targeting the subdomain login.us2.oraclecloud.com. This subdomain was associated with Oracle Fusion Middleware 11G, which has known vulnerabilities, including CVE-2021-35587. This particular flaw allows unauthenticated attackers to compromise Oracle Access Manager, potentially leading to a complete system takeover.
The threat actor has been active since January 2025 and is demanding payments from affected companies to remove their data from the compromised set. They have also offered incentives to individuals who can assist in decrypting the stolen SSO passwords or cracking the Lightweight Directory Access Protocol (LDAP) passwords.
The breach poses several risks:
- Data Exposure: Sensitive authentication data could be used for unauthorized access or corporate espionage.
- Credential Compromise: If decrypted, the stolen passwords could facilitate further breaches within Oracle Cloud environments.
- Extortion: The attacker’s ransom demands place additional financial and reputational pressures on affected businesses.
CloudSEK advises organizations utilizing Oracle Cloud services to take immediate actions, including resetting passwords, updating security protocols, and monitoring for any unusual activities. Businesses can verify their exposure to this breach through CloudSEK’s dedicated portal:
https://exposure.cloudsek.com/oracle
Oracle has yet to release an official statement regarding the breach. Organizations are urged to remain vigilant and implement recommended security measures to mitigate potential threats arising from this incident.
