On 20 March 2025, a Breach Forums user, “rose87168,” claimed to have stolen six million records from Oracle Cloud’s SSO and LDAP services and offered the data for sale or in exchange for zero-day exploits. Breach Forums is a known marketplace for cybercriminals to trade stolen data and exploits. The threat actor’s post included a list of 140,000 alleged impacted organisations, claiming the stolen records contained encrypted SSO and LDAP passwords, Java Keystore (JKS) files, key files, and enterprise manager JPS keys. However, the threat actor stated that they could not decrypt the stolen passwords.
The data was allegedly stolen by compromising ‘login.(region-name).oraclecloud.com’ Oracle servers. They further claimed to an independent news outlet that the breach targeted a vulnerable Oracle Cloud server affected by a publicly known CVE, though no public proof-of-concept (PoC) or exploit exists.
Credibility of the Breach
Oracle has denied the breach, stating to multiple media outlets that no Oracle Cloud customers experienced data loss or compromise.
The cybersecurity firm CloudSEK analysed the forum post, and despite Oracle’s denial of the breach, asserts that their investigation revealed a compromised production SSO endpoint that supports the forum member’s claim. They suggest that the attack may have leveraged a known critical vulnerability in Oracle Fusion Middleware, possibly CVE-2021-35587. CloudSEK confirmed that the affected server (login.us2.oraclecloud.com) was a legitimate production SSO endpoint used for OAuth2 authentication and token generation.
Impact
Out of an abundance of caution, for organisations listed among the 140,000, Arctic Wolf recommends resetting Oracle LDAP and SSO passwords, updating Oracle authentication methods, and rotating any other associated credentials.
While the extent of this alleged data breach is still being clarified, it is likely that several organisations beyond the 140,000 listed could also be affected, even if they are not direct Oracle Cloud customers. Many organisations use Software as a Service (SaaS) products hosted within Oracle Cloud, which could lead to more downstream impact.
Recommendations
While the extent of this alleged data breach is currently unknown, Arctic Wolf recommends taking the following precautions if your organisation was listed.
Reset/Rotate Oracle Credentials: Reset and/or rotate Oracle SSO and LDAP passwords, along with any associated credentials. Enforce strong password policies and implement Multi-Factor Authentication (MFA) to enhance security.
Update Oracle Authentication: Regenerate SASL/MD5 hashes for Oracle systems or migrate to a more secure authentication method.
References
Resources
