Oracle Cloud is one of the leading cloud providers of enterprise cloud services. It offers a complete set of cloud services to meet all kinds of enterprise computing needs. Oracle offers cloud-based solutions for Human Capital Management, Enterprise Resource Planning, Supply Chain Management, and many other applications, all managed, hosted, and supported by Oracle.

On 21 March 2025, CloudSEK’s XVigil discovered a threat actor, “rose87168,” selling 6M records exfiltrated from SSO (Single Sign-On) and LDAP (Light-weight Directory Access Control) of Oracle Cloud. The breach affected over 140.000 Oracle Cloud tenants. It highlights the importance of a robust security system, timely application of mitigation strategies, and the need to rethink cloud security.

Dissecting Oracle’s breach

According to Oracle, compromised data was approximately 16 months old and did not include complete Personally Identifiable Information (PII). Exposed data included email addresses, usernames, and hashed passwords. The stolen data includes: SSO and LDAP credentials JKS files (Java Key Store), Passwords and key files Enterprise Manager JPS keys reaching 6 million records in totality.

The breach faced by Oracle in March is not the first of its kind. Earlier in February, attackers accessed data from Oracle’s servers at Cerner, an electronic health records company. A class action lawsuit was filed against Oracle, and it was criticised for the lack of notification which exacerbated the circumstances. The Oracle failed to explain if it had been able to contain the threat or how it happened.

After initially denying the incident, the multinational technology company acknowledged to some clients that attackers stole old client credentials after breaching a “legacy environment” last used in 2017. When asked how they breached the servers, the threat actor told Bleepingcomputers that all of the Oracle Cloud servers use a vulnerable version with a public CVE (flaw) that does not currently have a public PoC (Proof of Concept) or exploit. Interestingly, the threat actors contacted Oracle for ransom and tracked down Oracle’s social media handles. They tried to intimidate and pressure the company by showing a glimpse of upcoming psychological tactics businesses must be ready for.

The exploited CVE (Common Vulnerabilities and Exposure)

CVE is a publicly disclosed security flaw that the CVE Numbering Authority has assigned a CVE ID number. U.S. National Vulnerability Database (NVD) and the CERT/CC Vulnerability Notes Database include a database (CVE list) of all the reported vulnerabilities per the MITRE Corporation standard. Reporting vulnerabilities in open-source software helps recognise flaws in the security system and coordinate the development of security tools. Hence, these are often submitted by organisations and open-source community members. Exploitation of these publicly disclosed CVEs is a big concern for an organisation’s security systems. Oracle breach is not the first case and will not be the last wherein an unpatched CVE led to unauthorised access to the cloud. The volume of CVEs can be overwhelming and if not managed timely, lead to data breaches. While CVE itself does not cause breaches, delays in addressing the vulnerabilities as we saw in the case of Oracle breaches increase the risk of exploitation of CVE leading to data breaches. This highlights the need for organisations to protect themselves and their networks.

What it means for your Online Security

The Oracle Cloud breach impacts your online security primarily through supply chains and credential vulnerabilities. Once stolen, the credentials can be used to compromise systems connected to Oracle Cloud. The breach underscores the importance of robust security practices and timely, transparent notification of a breach to mitigate the consequences. Oracle breach highlighted importance of securing legacy Environments despite being outdated or replaced. Another overlooked vulnerability which companies need to address after the Oracle breach will be Rogue OCI (Oracle Could Infrastructure) tenants and similar unused accounts to prevent further data breaches.

Read Full Blog Here — Oracle Cloud Got Hit- Lessons in Data Protection and Disclosure