Written by: Ekrem Selçuk Çelik, Ferdi Gül, & Yavuz Han

In March 2025, a threat actor known by the alias “rose87168” publicly claimed responsibility for a large-scale cybersecurity incident targeting Oracle Cloud. Posting on the hacker forum BreachForums, the actor asserted that they had compromised Oracle’s traditional login servers (login.(region-name).oraclecloud.com) and exfiltrated approximately 6 million sensitive records, potentially impacting over 140,000 Oracle Cloud tenants globally. Oracle officially denied any breach, stating explicitly that no Oracle Cloud customers experienced data loss or compromise.

Data Breach’s post on BreachForum

However, independent cybersecurity analyses, particularly investigations by BleepingComputer, provided credible evidence contradicting Oracle’s statements. Several Oracle customers confirmed the authenticity of data samples provided by the hacker, thereby validating the alleged data breach. Moreover, emails allegedly exchanged between the threat actor and Oracle—especially Oracle’s attempts to redirect communications through external channels like ProtonMail—suggest that the company is actively attempting to contain information related to this incident

A March 1, 2025 internet archive image shows Oracle’s attempts to redirect communications with the threat actor to external channels such as ProtonMail, indicating the company’s efforts to contain information about the breach. (Source: web.archive.org)

Additionally, Oracle’s infrastructure (login.us2.oraclecloud.com) was discovered to be running Oracle Fusion Middleware version 11g as recently as February 2025, a version vulnerable to the critical flaw tracked as CVE-2021-35587. The threat actor claims to have exploited this specific vulnerability to compromise Oracle’s servers.

These findings reveal significant discrepancies between Oracle’s official claims and independent verifications, raising serious doubts about the accuracy of the company’s statements. Such contradictions pose a considerable risk to Oracle’s brand credibility and undermine its security assurances, underscoring the critical importance of proactive security measures, robust vulnerability management, and preparedness in today’s interconnected digital landscape.

According to the threat actor, the stolen data included:

  • Java KeyStore (JKS) files
  • Encrypted SSO and LDAP credentials
  • OAuth2 access keys
  • Enterprise Manager JPS keys
  • Configuration files and a list of tenant domains

This breach is believed to potentially affect over 140,000 Oracle Cloud tenants, posing serious security and reputational risks. The actor stated that companies could pay to have their employees’ data removed from the dataset before it was sold. They also shared sample data and tenant domain lists to back their claims.

On March 21, 2025, Oracle responded in a statement to Bleeping Computer:

“There has been no breach of Oracle Cloud. The published credentials are not for Oracle Cloud. No Oracle Cloud customers experienced a breach or lost any data.”

Despite this denial, independent cybersecurity firms including CloudSEK, Orca Security, and eSecurityPlanet shared analyses suggesting otherwise. CloudSEK pointed to the potential exploitation of a known vulnerability in misconfigured or outdated Oracle login infrastructure.

The vulnerability in question is CVE-2021-35587 — a critical flaw in Oracle Access Manager that allows unauthenticated attackers to gain remote access over HTTP, potentially leading to full system compromise. It carries:

  • a CVSS 3.1 score of 9.8
  • an EPSS score of 94.23%
  • and affects versions 11.1.2.3.0, 12.2.1.3.0, and 12.2.1.4.0
  • Though patches are available, many organizations have not yet applied them.

Black Kite’s Response: Oracle Cloud Data Breach FocusTagTM

The Black Kite Research & Intelligence Team (BRITE) responded with a dedicated FocusTag, ‘Oracle Cloud Data Breach,’ providing insight into the incident’s potential impact on third-party ecosystems.

​​While Oracle has denied the breach, the confidence level for this FocusTag has been classified as Medium by Black Kite’s BRITE team. This assessment is based on the credibility of the threat actor’s claims, the nature of the leaked data, and supporting indicators from independent research. However, due to the lack of direct access to all data samples provided by the actor, the confidence level remains below ‘ High’. This level may be reevaluated if further data is verified.

Rather than relying solely on CVE-based tagging (which can produce false positives), this FocusTag leverages the leaked tenant domain list provided by the threat actor to deliver precision targeting. It helps identify over 140,000 potentially impacted organizations, empowering TPRM teams to act decisively.

Filtering on the Black Kite platform using the FocusTag.
Black Kite’s Oracle Cloud Data Breach FocusTagTM details critical insights on the event for TPRM professionals.

How Can TPRM Professionals Leverage Black Kite’s Oracle Cloud Data Breach FocusTagTM?

Black Kite’s FocusTag™ for the Oracle Cloud Data Breach empowers TPRM professionals to proactively manage risks arising from the alleged breach. By utilizing the leaked tenant domain list, this FocusTag identifies over 140,000 potentially impacted organizations, enabling targeted risk assessment and mitigation.

  • Audit Your Third-Party Ecosystem: Use the FocusTag to meticulously audit your third-party ecosystem and pinpoint vendors whose domains appear on the leaked list.
  • Prioritize Affected Vendors: Focus on vendors running the vulnerable Oracle Access Manager versions (11.1.2.3.0, 12.2.1.3.0, and 12.2.1.4.0) to prioritize remediation efforts.
  • Direct Vendor Outreach: Initiate direct communication with identified vendors to seek clarification on their potential exposure and to coordinate remediation updates.
  • Targeted Remediation: Black Kite provides the detailed asset information that allows TPRM teams to target remediation efforts where they are most needed.
  • Continuous Updates: This FocusTag, published on March 21, 2025, will be updated as further data verification and analysis become available, ensuring TPRM professionals stay informed about the evolving impact and mitigation strategies related to this incident.

Recommended Actions for Affected Organizations

  • Credential Reset: Promptly reset passwords, especially for privileged LDAP accounts and tenant administrators. Enforce strong password policies and multi-factor authentication (MFA).
  • Certificate and Secret Rotation: Regenerate all certificates and secrets associated with potentially compromised configurations to prevent unauthorized access.
  • Log Auditing & Monitoring: Conduct a thorough audit of security logs for unusual or suspicious activity. Implement enhanced monitoring tools to detect and alert on unauthorized access attempts or anomalies.
  • Cloud Security Posture Review: Assess and strengthen your overall cloud security posture, with a focus on access controls, identity management, and vulnerability mitigation.
  • Vendor Communication: Reach out to Oracle Support for clarification and ongoing guidance. Push for transparency regarding the breach and any related risks.
  • Contingency Planning: Update your incident response and business continuity plans to account for scenarios involving data breaches and potential extortion threats.
  • Ongoing Threat Monitoring: Continuously monitor your environment using security tools capable of detecting lateral movement, privilege escalation, or other indicators of compromise.

Oracle Cloud Breach FAQ

Q: What exactly was compromised in the alleged Oracle Cloud breach?

A: The threat actor claims to have exfiltrated approximately 6 million sensitive user records, including Java KeyStore (JKS) files, encrypted Single Sign-On (SSO) and Lightweight Directory Access Protocol (LDAP) credentials, OAuth2 access keys, Enterprise Manager JPS keys, and tenant domain lists.

Q: The involved company denies the breach occurred. Why should we still be concerned?

A: Independent cybersecurity researchers have provided credible analyses indicating otherwise. Evidence such as leaked data samples, verified production environments, and real customer domains substantiates the threat actor’s claims, suggesting significant potential risk despite the company’s denial. Customer confirmations of the data sample validity also increase this concern.

Q: Which vulnerability was likely exploited?

A: The breach appears linked to CVE-2021-35587, a critical vulnerability in Oracle Access Manager allowing unauthenticated remote attackers to gain full system access. This vulnerability affects Oracle Access Manager versions 11.1.2.3.0, 12.2.1.3.0, and 12.2.1.4.0.

Q: Is there a tool to check if my organization is affected?

A: Yes, tools have been released enabling organizations to verify if their domain appears in the threat actor’s leaked tenant list, helping to quickly identify potential impact.

Q: Could this data be fabricated or from a test environment?

A: While some data could be misconstrued as test data, extensive verification indicates that the compromised data includes real tenant domains and active OAuth2 interactions. This significantly reduces the likelihood that the data is fabricated or solely from a testing environment. Customer validation of the data samples also reduces this possibility.

Q: What immediate actions should affected organizations take?

A: Affected organizations should immediately reset all LDAP and administrative passwords, enable multi-factor authentication (MFA), regenerate all potentially compromised certificates and secrets, conduct thorough log auditing, and strengthen overall cloud security posture.

Q: What is the organization’s Oracle Cloud Data Breach Focus Tag?

A: BRITE Team created the “Oracle Cloud Data Breach” Focus Tag to identify organizations potentially impacted by this incident using the threat actor’s leaked tenant domain list. This Focus Tag helps third-party risk management teams efficiently identify, assess, and mitigate related risks.

Q: How confident is the organization about this breach?

A: This vulnerability currently classifies confidence in this breach as MEDIUM. This assessment could be updated to High upon further verification of additional leaked data.

Q: Will there be collaboration with Oracle on this matter?

A: Critical, sensitive details have been proactively shared with Oracle, and collaborative efforts aimed at thorough investigation and mitigation remain open.

Q: Why are cloud vulnerabilities particularly critical for supply chain security?

A: Cloud vulnerabilities can cascade quickly due to interconnected cloud environments, making organizations vulnerable to wide-reaching supply chain attacks. This breach underscores the importance of proactive cloud security measures, continuous monitoring, and rapid incident response capabilities.

Q: What do we know about how Oracle handled communication regarding the breach?

A: Communications shared by the threat actor indicate that someone claiming to be from the company insisted that all communication be conducted through a specific platform. This suggests efforts to contain information about a possible breach. Furthermore, the company’s initial denials contradict customer confirmations of the data sample authenticity, raising questions about transparency.

Q: Why is Oracle so strongly denying the breach?

A: The company may be attempting to maintain confidence in its cloud security and protect its reputation. Especially given the company’s public assertions regarding cloud security and AI surveillance systems, acknowledging a data breach could weaken its market position. However, customer verification of the data samples complicates the company’s stance.

Conclusion

The Oracle Cloud breach – alleged or not – is a reminder of the cascading risk potential in third-party ecosystems. Even patched CVEs like CVE-2021-35587 can be exploited if misconfigurations remain.

If you want to learn where to start when it comes to responding to a data breach in your supply chain, we recommend beginning with our blog post, “How to Respond a Data Breach in Your Supply Chain”. This blog post focuses on the impact of ransomware attacks on businesses and outlines the steps organizations should take during and after a data breach within their supply chain. 

Effectively handling such an incident requires a well-prepared, coordinated response plan—both technically and communicatively. By using Black Kite’s FocusTagsTM, your TPRM team can stay proactive, precise, and protected. At this point, partnering with Black Kite can provide critical value by helping you strengthen your defenses with a supply chain–focused perspective. 

Black Kite’s FocusTags™ turn complex cybersecurity data into actionable insights, enabling TPRM professionals to manage vendor risk with clarity and confidence. In today’s fast-paced digital world, they’re key to staying resilient and ahead of threats.

References

https://breachforums.st/Thread-SELLING-Oracle-cloud-traditional-hacked-login-X-oraclecloud-com

https://www.bleepingcomputer.com/news/security/oracle-denies-data-breach-after-hacker-claims-theft-of-6-million-data-records/

https://www.cloudsek.com/blog/the-biggest-supply-chain-hack-of-2025-6m-records-for-sale-exfiltrated-from-oracle-cloud-affecting-over-140k-tenants

https://www.darkreading.com/cyberattacks-data-breaches/oracle-denies-claim-oracle-cloud-breach-6m-records

https://www.webpronews.com/oracle-customers-throw-cold-water-on-companys-claim-it-was-not-hacked

https://blackkite.com/blog/how-to-respond-to-a-data-breach-in-your-supply-chain



Dig into our full 2025 Third Party Breach Report: The Silent Breach: How Third Parties Became the Biggest Cyber Threat in 2024 – accessible instantly, no download required.




Read Now