Despite Oracle’s continued denial of a data breach affecting its Cloud services, mounting evidence suggests that a significant security compromise may have occurred, potentially exposing the personal information of millions of users. The company’s federated Single Sign-On (SSO) systems are believed to be the source of the breach, and a hacker group, known as “rose87168,” has allegedly accessed Oracle Cloud’s login infrastructure. This claim has been supported by emerging details of the breach that suggest user data—including encrypted passwords and personal user details—has been compromised and is now being sold online.
The incident first surfaced when the hacker “rose87168” posted on a popular hacking forum, where they claimed to have stolen valuable authentication data from Oracle’s systems. The hacker shared multiple text files containing critical data such as LDAP records, encrypted passwords, and details about over 140,000 domains tied to impacted organizations, which included both private corporations and government entities. This revelation immediately raised alarm within the cybersecurity community.
In a particularly troubling development, the hacker also shared a direct link to a file hosted on Oracle’s own domain, “login.us2.oraclecloud.com.” The file not only contained the hacker’s contact email but also implied that they had the ability to write files directly to Oracle’s servers, further suggesting that the breach may have been more severe than initially reported.
In response to the allegations, Oracle firmly denied that any breach had occurred. A statement from the company read, “There has been no breach of Oracle Cloud. The published credentials are not for the Oracle Cloud. No Oracle Cloud customers experienced a breach or lost any data.” However, this position was immediately questioned as representatives from multiple organizations, whose data appeared in the leaked files, confirmed that the user information—such as LDAP display names and email addresses—was accurate and tied to their personnel.
Cybersecurity experts have pointed to a possible vulnerability in Oracle’s infrastructure that may have facilitated the breach. Research by Cloudsek, a well-known cybersecurity firm, revealed that the Oracle server involved was running Fusion Middleware 11g as recently as February 2025. This version is known to be vulnerable to CVE-2021-35587, a flaw in Oracle Access Manager that can allow unauthenticated access to sensitive systems. The hacker “rose87168” has claimed that they exploited this vulnerability to gain unauthorized access to Oracle’s systems, further complicating the company’s denial of a breach.
In the wake of these revelations, Oracle took the affected login server offline, but it has yet to acknowledge whether this action was directly related to the reported breach. Adding another layer of complexity to the situation, leaked email exchanges between the hacker and Oracle’s security team were reviewed by BleepingComputer. In these exchanges, the hacker reiterated their claim to have access to data on six million users, while one email from a ProtonMail address—allegedly affiliated with Oracle—suggested that the conversation should continue via private email. This has raised concerns about the handling of internal communications during a potential security incident.
Despite Oracle’s continued insistence that no breach occurred, the growing body of evidence, including verified data samples, exploitable software versions, and the unaddressed access to its servers, casts doubt on the company’s position. As the situation develops, the tech and cybersecurity communities are closely monitoring Oracle’s actions and response, with many urging the company to take more decisive measures in addressing the potential breach and securing its infrastructure moving forward.
With the incident unfolding, it’s clear that organizations relying on cloud services, particularly those using Oracle Cloud, must remain vigilant and proactive in monitoring their systems for potential vulnerabilities and breaches, especially in an environment where emerging cyber threats continue to evolve at a rapid pace.
