CloudSEK, CybelAngel and several other cybersecurity firms confirmed the threat actor, known as “rose87168,” was selling 6 million records extracted from Oracle Cloud’s Single Sign-On (SSO) and Lightweight Directory Access Protocol (LDAP) systems, impacting over 140,000 tenants across multiple regions and industries. The company claimed in one email to customers that Oracle Cloud Infrastructure (OCI) was not breached but a hacker “did access and publish user names from two obsolete servers that were never a part of OCI.” The FBI and CrowdStrike are investigating the incident, according to the letter Oracle sent to customers. The hacker, according to CloudSEK, was seen soliciting help from other hackers to decrypt the stolen credentials and threatening Oracle customers — pledging to remove their data for a fee. The agency added that threat actors often weaponize these kinds of credentials to escalate their privileges and move around networks; access cloud and identity management systems; conduct phishing and business email compromise campaigns; resell access to stolen credentials; and enrich previously stolen data for targeted intrusions. For weeks, Oracle privately warned customers of a January incident where hackers stole information and accessed client credentials held on legacy Oracle systems. At least three Oracle Cloud customers confirmed to news outlets that their information was in the leaked data set. BleepingComputer and Bloomberg reported throughout March and April that Oracle customers were told privately of multiple security incidents, even though the company avoided publicly addressing the issue. Federal cybersecurity officials on Wednesday warned of the potential fallout of a data breach impacting Oracle.
This Cyber News was published on therecord.media. Publication date: Wed, 16 Apr 2025 20:42:10 +0000