Oracle has firmly denied allegations of a security breach after a hacker claimed to have stolen 6 million data records from the company’s cloud infrastructure. The tech giant reassured its customers that their data remains secure, despite the hacker’s claims on a cybercrime forum.
Oracle Denies Breach — But Did a Hacker Really Steal 6 Million Records?
The controversy began when a threat actor, known by the alias “rose87168,” alleged that they had breached Oracle Cloud’s federated single sign-on (SSO) login servers. The hacker claimed to have obtained sensitive information, including encrypted SSO passwords, Java Keystore (JKS) files, key files, and enterprise manager JPS keys.
Oracle swiftly responded to the claims, stating:
“There has been no breach of Oracle Cloud. The published credentials are not for the Oracle Cloud. No Oracle Cloud customers experienced a breach or lost any data.”
This official statement was provided to cybersecurity news outlet BleepingComputer, which had reached out to Oracle for clarification.
Hacker Claims and Evidence
Despite Oracle’s denial, “rose87168” released several text files purportedly containing sample database records, LDAP information, and a list of affected companies. To support their claim, the hacker uploaded a text file with their ProtonMail email address to Oracle’s login.us2.oraclecloud.com server and shared the Internet Archive link as proof.
BleepingComputer contacted Oracle again, seeking clarification on how the hacker managed to upload a file to their cloud servers without having access. However, the company has not provided further details on this matter.
Sale of Allegedly Stolen Data
The hacker has put the allegedly stolen Oracle Cloud data up for sale on the BreachForums hacking forum. They are asking for either an undisclosed amount of money or zero-day exploits in exchange for the data. Additionally, they have reportedly offered affected companies the option to pay a ransom to remove their employees’ information from the list before it is sold.
“rose87168” has also sought assistance in decrypting the stolen SSO passwords and cracking LDAP hashes. The threat actor claimed to have infiltrated Oracle Cloud servers about 40 days ago and attempted to extort the company for 100,000 XMR (Monero cryptocurrency) in exchange for information on the vulnerability used to breach the system. However, Oracle allegedly declined the offer after requesting all the necessary details for fixing the security flaw.
Unverified Vulnerability Exploitation
The hacker claims that a vulnerability in a widely used software version compromised the Oracle Cloud servers. While they assert that the flaw has a public CVE (Common Vulnerabilities and Exposures) number, they claim that no public proof-of-concept (PoC) or exploit exists yet.
BleepingComputer has not independently verified the legitimacy of these claims. Additionally, the outlet has contacted several companies that allegedly lost data to confirm whether the information is genuine.
Our Thoughts:
While the hacker insists on having access to sensitive Oracle Cloud data, Oracle maintains that its systems remain secure and that no customer data was compromised. The situation highlights the growing challenge of cybersecurity threats and the ongoing battle between tech companies and malicious actors. Further updates may emerge as cybersecurity experts and affected companies investigate the claims.