There are perhaps 10,000 reasons to doubt Oracle Cloud's security breach denial
(2025/03/25)
- Reference: 1742924142
- News link: https://www.theregister.co.uk/2025/03/25/oracle_breach_update/
- Source link:
Oracle Cloud's denial of a digital break-in is now in clear dispute. A infosec researcher working on validating claims that the cloud provider's login servers were compromised earlier this year says some customers have confirmed data allegedly stolen and leaked from the database giant is genuine.
Since Oracle rubbished reports of a security breach, rose87168, the individual who claimed responsibility for the alleged intrusion and theft of approximately six million records – customer security keys, encrypted credentials, LDAP entries, and other data – sent a 10,000-line sample of the collection to Alon Gal, co-founder and CTO at security shop Hudson Rock.
Gal [1]said he took the sample and reached out to multiple Hudson Rock customers who appeared to be affected. Three customers have since confirmed the data handed to Gal by rose87168 from Oracle Cloud's internal systems is genuine, according to the CTO.
[2]
One customer, we're told, said its users are in the sample set, and have access to sensitive information. Another concurred, claiming the data is legitimate and from a production environment though it dates back to 2023.A third Hudson Rock customer said their users and tenant IDs match those in the sample, and that they are used in their production environment.
[3]
[4]
The Register [5]reported over the weekend Oracle was denying the claims made by rose87168 late last week that the netizen breached Oracle's login servers using a vulnerability and stole the aforementioned customer security keys and other sensitive data.
"There has been no breach of Oracle Cloud," Oracle said. "The published credentials are not for the Oracle Cloud. No Oracle Cloud customers experienced a breach or lost any data."
[6]
In addition to providing researchers with a sample of the sensitive data they allegedly stole from the IT titan, rose87168 also demonstrated they were able to create a text file, [7]archived here , on a public-facing Oracle-owned web server as proof of their intrusion and the heist. That file contained rose87168's email address, seemingly to show they did indeed have access to the login server.
Infosec outfit CloudSEK speculated rose87168 appeared to have exploited CVE-2021-35587, a critical vulnerability in Oracle Access Manager that would have given the miscreant access to the kinds of credentials and other data said to have been siphoned. That would mean Oracle failed to patch a hole in its own software on its own infrastructure.
Along with Gal, CloudSEK [8]said on Tuesday the same 10,000-line sample of data was sent to its staff, and appeared to cover more than 1,500 affected organizations.
[9]
CloudSEK said after looking at the sample, "the volume and structure of the leaked information make it extremely difficult to fabricate, reinforcing the credibility of the breach."
[10]Oracle Cloud says it's not true someone broke into its login servers and stole data
[11]Big Red, Microsoft roll out Azure database services for more mainstream Oracle users
[12]Oracle JDK 24 appears in rare alignment of version and feature count
[13]Oracle outage hits US Federal health records systems
If the data is genuine, as some infosec watchers suggest it is, the potential consequences of it falling into the wrong hands are serious and substantial.
With access to data such as customers' digital security certificates and keys, SSO and LDAP passwords, and more, cyber-criminals could take that and use it to carry out supply chain and ransomware attacks, among others.
The SSO and LDAP passwords are encrypted, and according to [14]BreachForums posts made by rose87168, the alleged thief has been unsuccessful in breaking the hashes. However, they offered a free portion of the data to anyone who could help.
The price for the entire trove of data isn't known, but rose87168 said they'd happily accept cash or zero-day exploits for their trouble.
Experts are advising organizations who have any suspicion that they may be affected to rotate their SSO and [15]LDAP credentials, and ensure strong password policies and [16]MFA are in place. Triggering an incident response plan is also a good idea to check whether any unauthorized intrusions have taken place.
The Register asked Oracle for a response to the latest developments from CloudSEK and Hudson Rock, and it did not immediately respond. ®
Get our [17]Tech Resources
[1] https://www.linkedin.com/posts/alon-gal-utb_big-i-just-received-10000-records-from-activity-7310017463516127232-XWbI/
[2] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2Z-M1ii1ahy0B1-QYMoMk3QAAA1c&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44Z-M1ii1ahy0B1-QYMoMk3QAAA1c&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33Z-M1ii1ahy0B1-QYMoMk3QAAA1c&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[5] https://www.theregister.com/2025/03/23/oracle_cloud_customers_keys_credentials/
[6] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44Z-M1ii1ahy0B1-QYMoMk3QAAA1c&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[7] https://web.archive.org/web/20250301161517/https://login.us2.oraclecloud.com/oamfed/x.txt?x
[8] https://www.cloudsek.com/blog/part-2-validating-the-breach-oracle-cloud-denied-cloudseks-follow-up-analysis
[9] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33Z-M1ii1ahy0B1-QYMoMk3QAAA1c&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[10] https://www.theregister.com/2025/03/23/oracle_cloud_customers_keys_credentials/
[11] https://www.theregister.com/2025/03/20/oracle_microsoft_enterprise_db_azure/
[12] https://www.theregister.com/2025/03/18/oracle_jdk_24/
[13] https://www.theregister.com/2025/03/07/oracle_outage_federal_health_records/
[14] https://www.theregister.com/2024/05/28/breachforums_back_online/
[15] https://www.theregister.com/2025/01/09/security_pros_baited_by_fake/
[16] https://www.theregister.com/2025/02/25/google_sms_qr/
[17] https://whitepapers.theregister.com/
Since Oracle rubbished reports of a security breach, rose87168, the individual who claimed responsibility for the alleged intrusion and theft of approximately six million records – customer security keys, encrypted credentials, LDAP entries, and other data – sent a 10,000-line sample of the collection to Alon Gal, co-founder and CTO at security shop Hudson Rock.
Gal [1]said he took the sample and reached out to multiple Hudson Rock customers who appeared to be affected. Three customers have since confirmed the data handed to Gal by rose87168 from Oracle Cloud's internal systems is genuine, according to the CTO.
[2]
One customer, we're told, said its users are in the sample set, and have access to sensitive information. Another concurred, claiming the data is legitimate and from a production environment though it dates back to 2023.A third Hudson Rock customer said their users and tenant IDs match those in the sample, and that they are used in their production environment.
[3]
[4]
The Register [5]reported over the weekend Oracle was denying the claims made by rose87168 late last week that the netizen breached Oracle's login servers using a vulnerability and stole the aforementioned customer security keys and other sensitive data.
"There has been no breach of Oracle Cloud," Oracle said. "The published credentials are not for the Oracle Cloud. No Oracle Cloud customers experienced a breach or lost any data."
[6]
In addition to providing researchers with a sample of the sensitive data they allegedly stole from the IT titan, rose87168 also demonstrated they were able to create a text file, [7]archived here , on a public-facing Oracle-owned web server as proof of their intrusion and the heist. That file contained rose87168's email address, seemingly to show they did indeed have access to the login server.
Infosec outfit CloudSEK speculated rose87168 appeared to have exploited CVE-2021-35587, a critical vulnerability in Oracle Access Manager that would have given the miscreant access to the kinds of credentials and other data said to have been siphoned. That would mean Oracle failed to patch a hole in its own software on its own infrastructure.
Along with Gal, CloudSEK [8]said on Tuesday the same 10,000-line sample of data was sent to its staff, and appeared to cover more than 1,500 affected organizations.
[9]
CloudSEK said after looking at the sample, "the volume and structure of the leaked information make it extremely difficult to fabricate, reinforcing the credibility of the breach."
[10]Oracle Cloud says it's not true someone broke into its login servers and stole data
[11]Big Red, Microsoft roll out Azure database services for more mainstream Oracle users
[12]Oracle JDK 24 appears in rare alignment of version and feature count
[13]Oracle outage hits US Federal health records systems
If the data is genuine, as some infosec watchers suggest it is, the potential consequences of it falling into the wrong hands are serious and substantial.
With access to data such as customers' digital security certificates and keys, SSO and LDAP passwords, and more, cyber-criminals could take that and use it to carry out supply chain and ransomware attacks, among others.
The SSO and LDAP passwords are encrypted, and according to [14]BreachForums posts made by rose87168, the alleged thief has been unsuccessful in breaking the hashes. However, they offered a free portion of the data to anyone who could help.
The price for the entire trove of data isn't known, but rose87168 said they'd happily accept cash or zero-day exploits for their trouble.
Experts are advising organizations who have any suspicion that they may be affected to rotate their SSO and [15]LDAP credentials, and ensure strong password policies and [16]MFA are in place. Triggering an incident response plan is also a good idea to check whether any unauthorized intrusions have taken place.
The Register asked Oracle for a response to the latest developments from CloudSEK and Hudson Rock, and it did not immediately respond. ®
Get our [17]Tech Resources
[1] https://www.linkedin.com/posts/alon-gal-utb_big-i-just-received-10000-records-from-activity-7310017463516127232-XWbI/
[2] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2Z-M1ii1ahy0B1-QYMoMk3QAAA1c&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44Z-M1ii1ahy0B1-QYMoMk3QAAA1c&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33Z-M1ii1ahy0B1-QYMoMk3QAAA1c&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[5] https://www.theregister.com/2025/03/23/oracle_cloud_customers_keys_credentials/
[6] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44Z-M1ii1ahy0B1-QYMoMk3QAAA1c&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[7] https://web.archive.org/web/20250301161517/https://login.us2.oraclecloud.com/oamfed/x.txt?x
[8] https://www.cloudsek.com/blog/part-2-validating-the-breach-oracle-cloud-denied-cloudseks-follow-up-analysis
[9] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33Z-M1ii1ahy0B1-QYMoMk3QAAA1c&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[10] https://www.theregister.com/2025/03/23/oracle_cloud_customers_keys_credentials/
[11] https://www.theregister.com/2025/03/20/oracle_microsoft_enterprise_db_azure/
[12] https://www.theregister.com/2025/03/18/oracle_jdk_24/
[13] https://www.theregister.com/2025/03/07/oracle_outage_federal_health_records/
[14] https://www.theregister.com/2024/05/28/breachforums_back_online/
[15] https://www.theregister.com/2025/01/09/security_pros_baited_by_fake/
[16] https://www.theregister.com/2025/02/25/google_sms_qr/
[17] https://whitepapers.theregister.com/
David 132
I'm not one for victim-blaming, and the blame & odium belong squarely on the miscreant, but I will say... this couldn't happen to a nicer and more deserving company than Oracle. Nyuk, nyuk.
Employment
Fruit and Nutcase
The price for the entire trove of data isn't known, but rose87168 said they'd happily accept cash or zero-day exploits for their trouble.
Oracle could offer a consultancy to rose87168. May be sweeten the deal with an invitation to lunch with Larry in one of his yachts?
Fun stuff for Bob and Jenny to do at the office.
Tron
Reduce your cloud footprint.
Unless you really, really need your data to be on a[ny] cloud, archive it on those very cheap multi-Tb HDDs you can now buy for peanuts, with as many copies as you need, and store it somewhere safe. offline.
And don't store data for the sake of it. Only if you have a valid reason to store it. If you are never going to need it, you may as well be paying to archive and curate dust, collected each day by your cleaners.
It's the SaaS apps that are the danger
Secure Strategy
Most of those affected won't be directly using Oracle Cloud. They'll be using NetSuite, or another SaaS app (Zoom etc) that runs on Oracle Cloud. A quick look at the domains affected will show this - lots of SMEs .This needs to be called out in the article.
So, when's the lawsuit ?
Pascal Monett
And will it be class action ?
Given the amount of data pilfered, I'm guessing a lot of CEOs are likely to be quite unhappy about this mess and will be wanting more than just excuses.
In related news
Jflynn007
Oracle has announced their new super duper advanced cloud security solution. Subscription based and charges by the byte of data. Free credits for any data lost.
CVE-2021-35587 9.8 critical
Dan 55
This is why Oracle Cloud is reassuringly expensive.
Reality : 1
Oracle: 0