Posted in Commentary with tags Oracle on March 29, 2025 by itnerd
A threat actor using the alias “rose87168” claimed responsibility for breaching Oracle Cloud systems, allegedly stealing 6 million user records containing encrypted passwords, authentication keys, and directory credentials. Oracle has denied any breach occurred, stating no customer data was compromised.
To investigate these claims, SOCRadar contacted the threat actor, who provided the below 10,000-record sample. This dataset appears consistent with real Oracle Cloud user information, including structured fields like user IDs, encrypted credentials, and company-specific domains. While SOCRadar cannot confirm the full 6 million record claim, the sample’s format and content seem legitimate and not easily fabricated.
“Several other security researchers and vendors have also analyzed the sample. At least three Oracle Cloud customers reportedly confirmed their information was present in the leaked data, further supporting its authenticity. These confirmations, along with observed Indicators of Attack (IOAs) such as irregular logins and suspicious file activity, suggest that the breach may indeed be real.
The hacker continues to provide screenshots and additional data fragments to prove the claim. The screen shot illustrates structured user data likely sourced from an identity management system. The actor also claims to have exploited a known vulnerability (potentially CVE-2021-35587), though this has not been confirmed.
Despite the mounting evidence, Oracle maintains its stance that no breach occurred. The company has provided no technical explanation or alternative theory for the leaked data’s origin. This leaves many Oracle Cloud customers in a difficult position—unable to fully assess their exposure without further guidance.
In cybersecurity, even unconfirmed incidents should be treated with seriousness when multiple independent sources identify potential compromise. We recommend organizations remain vigilant, monitor their environments closely, and follow trusted updates from Oracle and the security community.
We urge all Oracle Cloud users to take precautionary steps, including:
Reviewing security logs from mid-February onward for unusual login attempts or access patterns.
Auditing user accounts, especially those with administrative privileges.
Rotating sensitive credentials such as SSO and LDAP passwords or keys.
Ensuring multi-factor authentication (MFA) is enabled across all accounts.”
Much as I said in this post, this might be the breach that we’re all talking about in 2025. So far, my hunch on this is proving correct.
Recently, the Safety Detectives Cybersecurity Team stumbled upon a forum post on the clear web where a threat actor posted a link to a CSV file containing over 200 entries with information allegedly belonging to over 1 Million X/Twitter users.
SOCRadar’s CISO Comments On The Oracle Cloud Data Breach
Posted in Commentary with tags Oracle on March 29, 2025 by itnerdA threat actor using the alias “rose87168” claimed responsibility for breaching Oracle Cloud systems, allegedly stealing 6 million user records containing encrypted passwords, authentication keys, and directory credentials. Oracle has denied any breach occurred, stating no customer data was compromised.
To investigate these claims, SOCRadar contacted the threat actor, who provided the below 10,000-record sample. This dataset appears consistent with real Oracle Cloud user information, including structured fields like user IDs, encrypted credentials, and company-specific domains. While SOCRadar cannot confirm the full 6 million record claim, the sample’s format and content seem legitimate and not easily fabricated.
According to Ensar Seker, CISO at SOCRadar:
“Several other security researchers and vendors have also analyzed the sample. At least three Oracle Cloud customers reportedly confirmed their information was present in the leaked data, further supporting its authenticity. These confirmations, along with observed Indicators of Attack (IOAs) such as irregular logins and suspicious file activity, suggest that the breach may indeed be real.
The hacker continues to provide screenshots and additional data fragments to prove the claim. The screen shot illustrates structured user data likely sourced from an identity management system. The actor also claims to have exploited a known vulnerability (potentially CVE-2021-35587), though this has not been confirmed.
Despite the mounting evidence, Oracle maintains its stance that no breach occurred. The company has provided no technical explanation or alternative theory for the leaked data’s origin. This leaves many Oracle Cloud customers in a difficult position—unable to fully assess their exposure without further guidance.
In cybersecurity, even unconfirmed incidents should be treated with seriousness when multiple independent sources identify potential compromise. We recommend organizations remain vigilant, monitor their environments closely, and follow trusted updates from Oracle and the security community.
We urge all Oracle Cloud users to take precautionary steps, including:
Much as I said in this post, this might be the breach that we’re all talking about in 2025. So far, my hunch on this is proving correct.
Leave a comment »