HQ/EMEAFind out how we can help your business
Oracle Cloud breach allegations continue to escalate as new evidence emerges, contradicting the company’s repeated denials of any security compromise.
iZOOlogic previously reported on this issue in two separate articles, first covering the hacker’s claims and Oracle’s dismissal and later revealing confirmations from affected companies that the leaked data was legitimate. This article serves as another follow-up to the developing story, as further information challenges Oracle’s transparency regarding the situation.
The Oracle Cloud breach controversy deepens as experts verify leaked data, contradicting Oracle’s denial of any security compromise.
The controversy began when a threat actor known as rose87168 claimed to have infiltrated Oracle’s cloud-federated SSO login servers, allegedly stealing authentication data, encrypted passwords, and sensitive company details belonging to six million users.
Oracle strongly denied the claims, stating that no customer data had been compromised and that the leaked credentials did not originate from Oracle Cloud. However, multiple cybersecurity experts have since verified that the leaked samples contained genuine email addresses, LDAP details, and other identifying information, directly contradicting Oracle’s statements.
Rose87168 released text files with database extracts and a list of 140,621 corporate domains purportedly impacted by the incident to support their claims. While some of these domains were test accounts, numerous companies verified that their staff’s email addresses, and internal details were present in the leaked data. The hacker also shared an Archive[.]org link to a file hosted on Oracle’s system, which contained their ProtonMail address. This situation suggests that the attacker had ‘write access’ to Oracle’s servers, an action that would only be possible if a breach had occurred.
Further escalating the issue, the hacker released a two-hour-long internal Oracle meeting recording in which employees were heard discussing access to internal password vaults and customer-facing systems. Additionally, cybersecurity researchers linked the breach to a known vulnerability in Oracle Fusion Middleware 11g, tracked as CVE-2021-35587, which allows unauthorised access to Oracle Access Manager.
Reports indicate that this vulnerability was present on Oracle’s login server as of mid-February. After the breach was reported, Oracle quietly took the affected server offline but continued to deny any security failure publicly.
Rose87168 claimed to have accessed Oracle Cloud servers for over 40 days before being detected and later attempted to ransom the company for 100,000 XMR in exchange for details on the breach. Oracle allegedly refused to pay after requesting full technical information to patch the vulnerability. The hacker has since continued releasing more data and is offering the stolen information for sale on BreachForums, even reaching out to cybersecurity intelligence providers to validate the breach.
Despite mounting evidence, Oracle has maintained its stance that no breach has occurred.
The company has also been accused of carefully wording its statements to distance the incident from its primary cloud services. Instead of publicly addressing concerns, Oracle has reportedly informed affected customers verbally rather than providing written confirmations. This behaviour mirrors a previous breach involving Oracle Health, where sensitive medical data was compromised, but the company refused to document any acknowledgements in writing.
Further scrutiny arose when Oracle requested Archive[.]org to remove evidence of the breach but failed to delete a second URL that also confirmed unauthorised access. These actions have raised concerns about Oracle’s transparency and its responsibility to protect customer data.
With uncertainty still surrounding the Oracle Cloud breach, security experts urge affected organisations to reassess security measures and stay vigilant. As more evidence emerges, pressure increases on Oracle to provide transparency, while customers are advised to take proactive steps to protect their data.
