Oracle continues to dispute claims of major security breach

CloudSEK says the breach stemmed from an unpatched vulnerability

The dispute between Oracle and security researchers at CloudSEK has intensified in recent days, with Oracle continuing to deny that hackers accessed sensitive data from the company’s Cloud federated Single Sign-On (SSO) service.

A dispute has intensified between Oracle and security researchers following allegations that hackers accessed sensitive data from the company’s Cloud federated Single Sign-On (SSO) service. Whilst a threat actor has claimed responsibility for the breach, Oracle has categorically denied any security compromise, setting the stage for a contentious back-and-forth.

The controversy began in mid-March when a threat actor known as ‘rose87168’ claimed responsibility for leaking six million records, allegedly stolen from Oracle’s Cloud SSO login service. The hacker posted samples on the dark web, reportedly containing a list of affected companies, encrypted SSO passwords, Java KeyStore (JKS) files, and LDAP information.

“The SSO passwords are encrypted, they can be decrypted with the available files, also LDAP hashed passwords can be cracked,” the threat actor stated.

The individual also threatened to auction the data, offering companies the opportunity to pay for the removal of their employees' information before it was sold.

CloudSEK analysis and Oracle response

Cybersecurity firm CloudSEK conducted an initial assessment, suggesting that the breach stemmed from an unpatched vulnerability in Oracle’s infrastructure.

In a report it said: “The threat actor has demonstrated sophisticated capabilities by targeting a critical authentication infrastructure. “They’re not only selling the data but also actively recruiting assistance to decrypt the stolen passwords, suggesting an organized and persistent threat operation.”

Oracle, however, has vehemently denied any breach, dismissing the claims made by both CloudSEK and the threat actor.

“There has been no breach of Oracle Cloud,” a company spokesperson told BleepingComputer.“The published credentials are not for Oracle Cloud. No Oracle Cloud customer experienced a breach or lost any data.”

Despite Oracle’s rebuttal, CloudSEK has doubled down on its findings, releasing a follow-up report that challenges the company’s stance. The security firm claims its analysis provides evidence that the alleged attack targeted Oracle’s SSO service weeks before the breach was made public.

Key findings from CloudSEK’s investigation

CloudSEK’s report highlights multiple pieces of evidence it claims support the legitimacy of the breach. Researchers pointed to a sample of customer data and a text file reportedly created on login.us2.oraclecloud.com, which they argue demonstrates that the affected SSO server was in active use prior to the breach.

Additionally, CloudSEK identified an archived GitHub repository linked to Oracle’s official “oracle-quickstart” account, featuring a script (mpapihelper.py) that used login.us2.oraclecloud.com for OAuth2 token generation.

“This endpoint authenticated API requests for the Oracle Cloud Marketplace, proving its production use,” researchers stated. “OneLogin and Rainfocus documentation further validate its role in live SSO setups.”

The firm also pointed to domain data found in public GitHub repositories and Oracle partner guides, which allegedly matches the attacker’s leaked tenant list.

“These are not dummy accounts but Oracle Cloud users, underscoring the breach’s scope,” CloudSEK reported.

Rahul Sasi, CEO and co-founder of CloudSEK, defended the firm’s findings, stating: “This follow-up report equips the community and Oracle with facts to investigate and mitigate this threat responsibly.”

Potential impact of the alleged breach

CloudSEK has warned that the implications of the incident could be severe. The exposure of six million records, including sensitive authentication data, could lead to heightened risks of unauthorised access and espionage, the firm cautioned.

Furthermore, the presence of encrypted SSO and LDAP passwords raises concerns that, if cracked, they could facilitate additional breaches.

CloudSEK also highlighted the potential supply chain impact, with exposed JKS files posing a risk of downstream attacks on interconnected systems.

“A suspected unpatched vulnerability suggests deeper security flaws,” the company added.