On March 20, 2025, an alleged data breach involving Oracle Cloud’s Single Sign-On (SSO) and Lightweight Directory Access Protocol (LDAP) services was reported.
Alleged Oracle Cloud Breach Might Impact 140,000 Customers
Threat actor claims to have stolen over six million records including encrypted credentials.
What is the attack?
On March 20, 2025, an alleged data breach involving Oracle Cloud’s Single Sign-On (SSO) and Lightweight Directory Access Protocol (LDAP) services was reported. A threat actor operating under the alias “rose87168” claimed to have stolen over six million records, potentially affecting more than 140,000 enterprise customers.
The data reportedly includes encrypted SSO and LDAP credentials, Java Keystore files, and other sensitive authentication assets. Oracle has publicly denied these allegations.
Why did it get through?
According to initial reports, the incident may have involved a known vulnerability in Oracle WebLogic Server (CVE-2021-35587), which impacted Oracle Cloud login infrastructure. The compromised endpoint—login.(region-name).oraclecloud.com—could have enabled unauthorized access and lateral movement.
Several contributing factors, including exposed legacy systems and inconsistent update hygiene across cloud components, may have increased the risk of exploitation.
What is required to solve for this attack?
Patch Management and Regular Updates: Ensure all internet-facing and internal systems are routinely updated. Apply patches for known vulnerabilities as part of a formal vulnerability management program.
Enhanced Monitoring and Access Control:
Deploy advanced monitoring solutions to detect abnormal behavior and unauthorized access attempts in real time. Enforce strict access policies to protect identity infrastructure.