Oracle Customers Confirm Data Stolen In Alleged Cloud Breach Is Valid (bleepingcomputer.com)
- Reference: 0176840599
- News link: https://yro.slashdot.org/story/25/03/27/1918205/oracle-customers-confirm-data-stolen-in-alleged-cloud-breach-is-valid
- Source link: https://www.bleepingcomputer.com/news/security/oracle-customers-confirm-data-stolen-in-alleged-cloud-breach-is-valid/
> Despite Oracle denying a breach of its Oracle Cloud federated SSO login servers and the [1]theft of account data for 6 million people , BleepingComputer has confirmed with multiple companies that associated data samples shared by the threat actor are valid. Last week, a person named 'rose87168' claimed to have breached Oracle Cloud servers and began selling the alleged authentication data and encrypted passwords of 6 million users. The threat actor also said that stolen SSO and LDAP passwords could be decrypted using the info in the stolen files and offered to share some of the data with anyone who could help recover them.
>
> The threat actor released multiple text files consisting of a database, LDAP data, and a list of 140,621 domains for companies and government agencies that were allegedly impacted by the breach. It should be noted that some of the company domains look like tests, and there are multiple domains per company. In addition to the data, rose87168 shared an [2]Archive.org URL with BleepingComputer for a text file hosted on the "login.us2.oraclecloud.com" server that contained their email address. This file indicates that the threat actor could create files on Oracle's server, indicating an actual breach. However, Oracle has denied that it suffered a breach of Oracle Cloud and has refused to respond to any further questions about the incident.
>
> "There has been no breach of Oracle Cloud. The published credentials are not for the Oracle Cloud. No Oracle Cloud customers experienced a breach or lost any data," the company told BleepingComputer last Friday. This denial, however, contradicts findings from BleepingComputer, which received additional samples of the leaked data from the threat actor and contacted the associated companies. Representatives from these companies, all who agreed to confirm the data under the promise of anonymity, confirmed the authenticity of the information. The companies stated that the associated LDAP display names, email addresses, given names, and other identifying information were all correct and belonged to them. The threat actor also shared emails with BleepingComputer, claiming to be part of an exchange between them and Oracle.
[1] https://www.bleepingcomputer.com/news/security/oracle-customers-confirm-data-stolen-in-alleged-cloud-breach-is-valid/
[2] https://web.archive.org/web/20250301161517/http:/login.us2.oraclecloud.com/oamfed/x.txt?x
Wouldn't it be nice (Score:5, Insightful)
Wouldn't it be cool if Oracle could be held liable for spreading lies and misinformation for denying their breach? Yea it hurts their brand but we need better rules in place to keep companies honest.
Re: (Score:1)
I think this might be a good meta punishment. If you lie about it, you get fined. BTW are there any fines for being breached?
Re: (Score:3)
Their could be possible fines if they lost PII, PHI, or other protected information as defined by local, state and federal data protection laws. The kicker is if they even lost any protected information, it would be up to a government official if they want to pursue Oracle in court.
The biggest fine they could incur IMHO would be if they have cyber breach insurance, their rates are definitely going to increase.
Oracle claims to be SOC 2 in addition to a bunch of others. That said, this breach is direct proof
Re: Wouldn't it be nice (Score:2, Funny)
Seems like the SEC could have something to say about it, if they are still operating
companies need to realize they are not Trump (Score:3)
The ability to lie and get away with it is only reserved for the current administration.
Stay in your lane...
For companies, they need a different playbook. When something can be demonstrably proven, them lying about it, and then proven to have lied is just stupid.
Re: (Score:2)
Politicians have been lying and getting away with it since forever. Big business leaders the same. It won't change either. People cheat, lie and steal.
Credit monitoring (Score:3)
Great! I really need another year of worthless credit monitoring.
Larry (Score:3)
Larry will barely raise one eyebrow while going back to stroke his bald cat.
And they want to buy TikTok? (Score:1)
...That's like hiring Jeffery Dahmer to run a morgue.
What a perfect response... (Score:4, Informative)
...The thing that happened, did not happen...
...The thing that you are experiencing, you are not experiencing...
...The thing that you can see with your own eyes, you can not see with your own eyes...
Reminds me of the current Trump administration.
Re: (Score:2)
It does have kind of a familiar ring to it.
Re: (Score:2)
That didn't happen.
And if it did, it wasn't that bad.
And if it was, that's not a big deal.
And if it is, that's not my fault.
And if it was, I didn't mean it.
And if I did, you deserved it.
We witnessed all the levels simultaneously a few days ago.
He learned it from Putin (Score:4)
> ...The thing that happened, did not happen... ...The thing that you are experiencing, you are not experiencing... ...The thing that you can see with your own eyes, you can not see with your own eyes... Reminds me of the current Trump administration.
Putin really pioneered this in the modern era. My political opponents dying?...it's just bad luck. I didn't do anything. Those people invading Ukraine in 2014?...not our guys! The ceasefire I proposed? I'm not violating it when I attack Ukraine. That guy who made me look weak?...it's tragic his plane crashed that way.
You can debate Trump's connection to Putin, but there's no doubt, Trump has learned a lot by watching him...at the bare minimum...and has emulated Putin's strategies in both his presidencies.