Oracle Cloud Breach: Security Firm Challenges Oracle’s Denial with Evidence

The Oracle Cloud data breach incident has taken a new turn. The Cybersecurity firm CloudSEK has unveiled evidence confirming the exposure of sensitive enterprise data via Oracle Cloud’s production Single Sign-On (SSO) endpoints. This contradicts Oracle’s denial of any breach, even as a threat actor is selling 6 million allegedly exfiltrated records.

Investigation Unveils Critical Exposure

CloudSEK launched its investigation on March 21, 2025, after its threat intelligence platform detected a cybercriminal, identified as “rose87168,” offering 6 million records for sale. The data reportedly originates from Oracle Cloud’s SSO and Lightweight Directory Access Protocol (LDAP) systems and affects more than 140,000 tenants across multiple industries.

According to the threat actor, access was obtained via the login endpoint login. (region-name).oraclecloud.com, which serves as a core authentication system for Oracle Cloud users.

Oracle Denies, CloudSEK Presents Evidence

Oracle responded to initial reports by stating, “There has been no breach of Oracle Cloud.” However, CloudSEK’s investigation, using its Nexus platform and cyber HUMINT, presents findings that challenge Oracle’s position.

The threat actor provided a sample of customer data along with a text file created on login.us2.oraclecloud.com, supporting their claim that the server was active weeks before the breach became public. CloudSEK released its findings via a TLP Green report for the public and a TLP RED report directly to Oracle.

“We’re driven by transparency and evidence, not speculation,” said Rahul Sasi, CEO and Co-Founder of CloudSEK. Apart from that, the company also made a free tool available to help organizations check if they are affected.

Key Findings of the Breach

CloudSEK’s investigation highlights three major points:

SSO Endpoint in Production Use: A script from an archived Oracle GitHub repository, “mpapihelper.py,” confirmed login.us2.oraclecloud.com. This script was used for OAuth2 token generation. Further validation came from OneLogin and Rainfocus documentation referencing this setup.
Real User Exposure: Domains such as sbgtv.com, nexinfo.com, cloudbasesolutions.com, nucor-jfe.com, and rapid4cloud.com matched the leaked tenant list, confirming the data pertains to actual Oracle Cloud users.
Operational Legitimacy: The affected server was involved in SAML configurations and Identity Provider metadata retrieval, aligning with Oracle’s deployment model.

Security Implications

The breach has exposed a massive amount of sensitive data, increasing the risk of unauthorized access, credential compromise, and cyber espionage. If attackers decrypt the exfiltrated SSO/LDAP passwords, it could lead to further system breaches.

Additionally, the threat actor is allegedly extorting affected firms, demanding ransoms for data removal. The presence of a suspected zero-day vulnerability suggests that Oracle Cloud may have unpatched security flaws, raising concerns about broader implications.

Furthermore, exposed Java KeyStore (JKS) files could enable supply chain attacks, potentially affecting interconnected systems reliant on Oracle Cloud authentication.

So, while Oracle maintains its stance that no breach has occurred, CloudSEK’s evidence raises serious questions about security gaps in Oracle Cloud’s authentication systems.

Keval Vachharajani
Reporter
- LinkedIn
Keval Vachharajani is a seasoned business tech journalist with over five years of experience covering technology for renowned publications. Now, he brings his expertise to the dynamic world of B2B. At Geekflare, Keval focuses on uncovering the latest developments in SaaS, delivering in-depth news, analysis, and insights to empower businesses and professionals.