Oracle denies breach after hacker claims theft of 6 million data records

Oracle denies it was breached after a threat actor claimed to be selling 6 million data records allegedly stolen from the company's Oracle Cloud federated SSO login servers.

"There has been no breach of Oracle Cloud. The published credentials are not for the Oracle Cloud. No Oracle Cloud customers experienced a breach or lost any data," the company told BleepingComputer.

This statement comes after a threat actor known as rose87168 released multiple text files yesterday containing a sample database, LDAP information, and a list of the companies that they claimed were stolen from Oracle Clouds' SSO platform.

As further proof that they had access to Oracle Cloud servers, the threat actor shared this URL with BleepingComputer, showing an Internet Archive URL that indicates they uploaded a .txt file containing their ProtonMail email address to the login.us2.oraclecloud.com server.

BleepingComputer contacted Oracle again to explain how the threat actor uploaded a text file containing their email address without access to Oracle Cloud servers.

Alleged Oracle data breach

rose87168 is now selling the allegedly stolen data from Oracle Cloud's SSO service for an undisclosed price or in exchange for zero-day exploits on the BreachForums hacking forum.

They say the data (including encrypted SSO passwords, Java Keystore (JKS) files, key files, and enterprise manager JPS keys) was stolen after hacking into 'login.(region-name).oraclecloud. com' Oracle servers.

"The SSO passwords are encrypted, they can be decrypted with the available files. also LDAP hashed password can be cracked," rose87168 says. "I'll list the domains of all the companies in this leak. Companies can pay a specific amount to remove their employees' information from the list before it's sold."

They've also offered to share some of the data with anyone who can help decrypt the SSO passwords or crack the LDAP passwords.

The threat actor told BleepingComputer they gained access to Oracle Cloud servers around 40 days ago and claimed to email the company after exfiltrating data from the US2 and EM2 cloud regions.

In the email exchange, rose87168 said they asked Oracle to pay 100,000 XMR for information on how they breached the servers, but the company allegedly refused to pay after asking for "all information needed for fix and patch

When asked how they breached the servers, the threat actor said that all of the Oracle Cloud servers use a vulnerable version with a public CVE (flaw) that does not currently have a public PoC or exploit. BleepingComputer could not independently verify if this is the case.

BleepingComputer has contacted various companies whose data was allegedly stolen to confirm whether it's valid. We will update this article if we hear back.