Oracle faces renewed scrutiny after a threat actor claimed to breach its Oracle Cloud SSO infrastructure. Despite the company’s strong denial, leaked data appears to be real, raising questions about the security of cloud authentication systems.
Threat Actor Claims Access to 6 Million Accounts
A user named ‘rose87168’ announced they had infiltrated Oracle Cloud’s federated SSO servers. They claimed to have stolen authentication data and encrypted passwords linked to 6 million users. This person began offering the information for sale and even invited others to help decrypt the compromised passwords using files from the breach.
To prove access, the threat actor published multiple text files. These included what they described as database contents, LDAP information, and a list of over 140,000 domains—allegedly tied to both government entities and private organizations. Some of the domains appear to be test instances or duplicates, but many reference real companies.
Evidence Suggests Actual Server Access
BleepingComputer received additional files from the threat actor. One included a live Archive.org link pointing to a text file hosted on login.us2.oraclecloud.com. This file showed the attacker’s email address and demonstrated the ability to create files on Oracle’s infrastructure—strong evidence of unauthorized access.
Cybersecurity firm Cloudsek further verified that the Oracle server ran Fusion Middleware 11g as recently as February 17, 2025. This version contained a critical flaw (CVE-2021-35587), which allowed unauthenticated access to Oracle Access Manager. The threat actor claimed they used this vulnerability to penetrate Oracle’s servers.
Oracle Maintains Denial Despite Contradictory Findings
Oracle responded by denying any breach. The company stated clearly:
“There has been no breach of Oracle Cloud. The published credentials are not related to Oracle Cloud, and no customer data has been compromised.”
Leaked Emails Suggest Contact Between Oracle and Attacker
The threat actor also shared email exchanges. One message, sent to Oracle’s security team, claimed full access to the company’s cloud dashboard and user data. Another thread involved a ProtonMail address allegedly linked to someone at Oracle, who acknowledged receiving the report and suggested moving communications off Oracle’s primary domain. The identity of this individual remains unverified.
Following the publication of these findings, Oracle appears to have taken the affected login server offline.
Cloud Security Lessons from the Alleged Breach
Even as Oracle continues to deny the breach, the shared data and related actions raise red flags for the cloud security community. If the attacker exploited CVE-2021-35587 as claimed, it highlights the need for rapid patching, vulnerability management, and SSO hardening.
Organizations relying on cloud-based SSO systems should review their access controls, monitor for unauthorized file creation, and validate the integrity of login portals. Proactive security remains the best defense against emerging threats like this.
