Oracle has been the subject of two data security breaches in the last week. The database giant is not only reluctant to acknowledge these disasters publicly, but it may also be scrubbing evidence from the web.
A netizen with the handle rose87168 claimed on March 20, 2025 that he had accessed two login systems of the IT giant’s customers’ cloud services, allowing him to steal what was said to be six millions records, including copies of subscribers’ encrypted passwords for single-sign-on, encrypted passwords for LDAP, security certificates and more.
Oracle denied that its networks and customers had been compromised. A spokesperson told The Register
“There has been no breach of Oracle Cloud,” on Friday March 21. “The published credentials are not for the Oracle Cloud. No Oracle Cloud customers experienced a breach or lost any data.”
A netizen sent proof of the alleged stolen Oracle-hosted information to Alon Gal (co-founder and CTO of security shop Hudson Rock).
Gal stated that he had presented this information to Oracle customers who confirmed that it appeared legitimate. This was because it was their personal data which was entrusted by Oracle, but now was in the hands of other people. The evidence included an extract of a database containing the personal information of employees of Oracle customers, sample LDAP files, and a listing of supposedly affected firms.
Around that time, infosec outfit CloudSEK released a report on the purported security breach. They concluded that the sample data corresponded to the production systems for real customers. According to the business, the intrusion could affect thousands of tenants. It involves a compromised Oracle SSO Service. Orca Security and CloudSEK “easily exploitable vulnerability [that] allows [an] unauthenticated attacker with network access via HTTP to compromise Oracle Access Manager.” both claim that the break-in involved the abuse CVE-2021-35587.
It’s been claimed that Oracle failed to patch a years-old vulnerability in its public-facing middleware for its production SSO servers, which allowed someone to swoop and grab sensitive data. Oracle has not signed a Stargate contract nor predicted revenue from AI mega build
Here comes the lawsuits…
Oracle was sued today [PDF] over its alleged negligence and breach contract for its failure to properly secure and notify its customers in a timely fashion.
A federal lawsuit filed in west Texas seeks class-action status and targets both Cloud and Health security breaches. Oracle is being sued for damages, costs and promises to better protect customers, data and computers.
Gal questioned Oracle’s continued silence in a LinkedIn postingon Monday, and said that rose87168 could take further action to prove an Oracle Cloud compromise. Gal said
“With no word from Oracle yet … rose87168 is indicating they are moving to a new phase, potentially selling or leaking the data,” . Oracle is trying to avoid responsibility by using very specific words in their statements about Oracle Cloud. “Pretty crazy Oracle just denied this leak which has been verified independently by many cybersecurity firms.”
Infosec expert Kevin Beaumont has also criticizedOracle, saying that the firm is splitting hairs when it makes a distinction between Oracle Cloud (19459066) and Oracle Cloud Classic (19459066).
The US super-corp says Oracle Cloud was not compromised, but that leaves open the possibility that Oracle Cloud Classic was the specific product that has been compromised. According to rose87168, Oracle’s public cloud service was compromised. Beaumont wrote
“Oracle are attempting to wordsmith statements around Oracle Cloud and use very specific words to avoid responsibility,” . Beaumont and Jake Williams (another security researcher) both claimed Oracle appeared to have used the Internet Wayback Machine archive exclusion process in order to scrub evidence “This is not okay. Oracle need to clearly, openly and publicly communicate what happened, how it impacts customers, and what they’re doing about it. This is a matter of trust and responsibility. Step up, Oracle – or customers should start stepping off.”
of the intrusion.
Rose87168 left a file on one Oracle’s production login system for its cloud service clients as proof that they were there. The file contained the netizen’s private email address and only an attacker or rogue employee could have placed the document there. This text file was available to the public and indexed hereby the Wayback Machine. However, the document has been removed on request.
A copy of it can still be found here by twiddling the URL slightly, from a capture of login.us2.oraclecloud.com on March 1, a whole month ago. (r)
What is the score? Let us know in confidence
