The IT Nerd

Researchers have uncovered a major breach targeting Oracle Cloud, with 6 million records exfiltrated via a suspected undisclosed vulnerability. Over 140,000 tenants are impacted, as the attacker demands ransom and markets sensitive data online.

More info here: https://www.cloudsek.com/blog/the-biggest-supply-chain-hack-of-2025-6m-records-for-sale-exfiltrated-from-oracle-cloud-affecting-over-140k-tenants

Ensar Seker, CISO at SOCRadar, provided the following comments:

“This incident is not just a breach, it’s a watershed moment for cloud security and third-party risk awareness.

The Oracle Cloud breach, allegedly carried out by a hacker known as “rose87168,” is a high-impact supply chain compromise with a potentially global ripple effect. With 6 million records stolen, affecting over 140,000 tenants, and sensitive data like encrypted passwords, configuration files, and access credentials now exposed, this isn’t just a strike against Oracle, it’s a wake-up call for every business relying on third-party cloud platforms.

From the initial findings, the hacker exploited what appears to be a zero-day vulnerability in Oracle WebLogic, which is often used to power login systems for Oracle Cloud. Once inside, they were able to exfiltrate sensitive data at scale, and now they’re demanding payments for deletion, essentially holding businesses hostage with their own data. That’s ransomware behavior without the encryption step, targeting confidentiality and reputation instead of just availability.

So, what makes this breach especially dangerous? First, it targets the supply chain layer, an area where many companies mistakenly assume security is outsourced to the cloud provider. The reality is, shared responsibility doesn’t mean equal responsibility, and this case proves that even the largest, most reputable cloud vendors are not immune to zero-days or sophisticated adversaries. Second, the hacker’s move to crowdsource the decryption of stolen password hashes by offering rewards is a chilling tactic. It opens the door to mass credential stuffing, lateral movement attacks, and future ransomware campaigns, potentially affecting not just Oracle’s clients, but also their partners, vendors, and customers.

This incident could become 2025’s SolarWinds moment, especially if we confirm that multiple enterprises were breached via their Oracle Cloud instances. We’re looking at a case that undermines trust in critical cloud infrastructure, and once again underscores how a single vulnerability in a widely used platform can cascade across thousands of organizations. This also raises a pressing question: How soon did Oracle know? How was this vulnerability triaged, and were any proactive mitigations communicated before this data was already on the dark web?

One of the important questions is what affected companies can do?

1. Incident Response at the Tenant Level: Every affected company must immediately rotate all credentials, access keys, and tokens related to Oracle services. Assume compromise and move quickly. 
2. Monitor for Reuse and Exposure: Expect these stolen credentials to surface in stealer logs, dark web marketplaces, and brute-force tools. Deploy threat intelligence platforms to track brand mentions and leaked credentials.
3. Demand Vendor Transparency: Customers should pressure Oracle to release a full technical breakdown, including a timeline, affected services, and patching instructions. Transparency now will be critical for restoring trust.
4. Rethink Cloud Security Assumptions: CISOs must treat third-party platforms with the same scrutiny as internal systems. That means continuous monitoring, vulnerability scanning, and more aggressive red teaming of cloud-based assets.”

This is possibly going to be huge. Thus you should keep an eye on this as my “Spidey Sense” says that this is going to be something that we are going hear more about.