Article Details

Oracle Cloud says it's not true someone broke into its login servers and stole data. Despite evidence to the contrary as alleged pilfered info goes on sale. Oracle has straight up denied claims by a miscreant that its public cloud offering has been compromised and information stolen. A crook late last week advertised on an online cyber-crime forum what was alleged to be Oracle Cloud customer security keys and other sensitive data swiped from the IT giant. This material was said to have been obtained from at least one of the cloud provider's single-sign-on (SSO) login servers by exploiting a security vulnerability. Oracle says that's not true. "There has been no breach of Oracle Cloud," a spokesperson told The Register on Friday. "The published credentials are not for the Oracle Cloud. No Oracle Cloud customers experienced a breach or lost any data." Meanwhile, as noted by the guys at Bleeping, the miscreant boasted of creating a text file on an Oracle Cloud login server, specifically login.us2.oraclecloud.com, captured here by the Internet Archive's Wayback Machine in early March, as proof that systems were compromised. That file contains simply the email address of the person attempting to sell what's said to be the stolen Oracle Cloud data. We've asked Oracle for further clarification or an explanation. It's claimed that information was exfiltrated from the EM2 as well as US2 login server. Samples of allegedly stolen info were also shared by the would-be thief. Looking through the Wayback Machine, we can see that the US2 server was as recently as February 2025 running some form of Oracle Fusion Middleware 11G. Infosec outfit CloudSEK reckons that server may not have been patched to close CVE-2021-35587, a known critical vulnerability in Fusion Middleware's Oracle Access Manager, specifically its OpenSSO Agent. Exploiting that bug – which can be done over HTTP with no authentication – would potentially give an intruder access to the very kind of information put up for sale this week. Public exploit code for the flaw exists. On Thursday, what was claimed to be six million records of Oracle Cloud customers' Java KeyStore files, which contain security certificates and keys; encrypted Oracle Cloud SSO passwords; encrypted LDAP passwords; Enterprise Manager JPS keys; and other information stolen from the cloud provider went up for sale on BreachForums by a previously unknown netizen going by the name rose87168. The potentially affected customers is said to number in the thousands. The price for this info has not been disclosed, as far as we can tell, and the seller is also accepting zero-day exploits as payment. It's said rose87168 contacted Oracle about a month ago to let the database giant know about the alleged data theft, wanted more than $200 million in cryptocurrency in exchange for details about the claimed heist, and was turned down. The miscreant has also asked for help in decrypting the encrypted credentials. "The SSO passwords are encrypted, they can be decrypted with the available files," the attacker claimed in their BreachForums post. "Also LDAP hashed passwords can be cracked. I couldn't do it, but if someone can tell me how to decrypt them, I can give them some of the data as a gift." Additionally, the would-be thief has shared a list of the domains of all of the companies caught up in the denied security breach, and noted that the apparently not-compromised Oracle customers can "pay a specific amount to remove their employees' information before it's sold."