On 20 March 2025, a previously unknown threat actor posting under the handle "rose87168" listed six million records for sale on BreachForums, claiming they had been stolen directly from Oracle Cloud's authentication infrastructure.
The data included Java KeyStore (JKS) files, encrypted Single Sign-On (SSO) passwords, LDAP credentials, OAuth2 keys, and Enterprise Manager JPS keys - the kind of data that sits at the very core of how cloud environments authenticate users and systems.

Oracle's initial response was a flat denial. The company told BleepingComputer: "There has been no breach of Oracle Cloud. The published credentials are not for the Oracle Cloud. No Oracle Cloud customers experienced a breach or lost any data."
That statement did not hold.
Within days, independent researchers confirmed the breach. By early April 2025, Oracle had quietly begun notifying affected customers directly. The incident is estimated to impact over 140,000 cloud tenants across multiple industries and regions. At the time of writing, Oracle has still not made a full public statement.

What Happened
The attacker appears to have been inside Oracle's systems since at least January 2025. According to threat intelligence firm CybelAngel, the intrusion exploited a 2020 Java vulnerability - specifically CVE-2021-35587, a critical flaw in Oracle Fusion Middleware's Access Manager component - to install a webshell and deploy malware targeting the Oracle Identity Manager (IDM) database. The targeted server, login.us2.oraclecloud.com, was running Oracle Fusion Middleware 11G, a software stack that had not been updated since 2014. CVE-2021-35587 was not obscure. It had been added to CISA's Known Exploited Vulnerabilities catalogue in late 2022, meaning US federal agencies were explicitly required to patch it.
The vulnerability allows an unauthenticated attacker with basic network access to fully compromise Oracle Access Manager via HTTP. Oracle had issued a patch in January 2022. The affected server was running unpatched infrastructure.

Once inside, the attacker exfiltrated six million records and then contacted Oracle directly, demanding a large sum in cryptocurrency to stay quiet (equivalent to million of dollars). Oracle declined. In early March 2025 - before the public post appeared - Oracle reportedly removed the attacker from the affected systems and took steps to contain the breach. The attacker then went public, posting the data for sale on BreachForums on 20 March and simultaneously demanding that affected companies pay a separate "fee" to have their own records removed from the listing.

To prove the breach was real, the attacker uploaded a text file containing their own email address directly to login.us2.oraclecloud.com - a live Oracle login server. That file was captured by the Wayback Machine and independently verified by multiple researchers. CloudSEK, The Register, and others confirmed it. Oracle's denial became increasingly difficult to sustain.

By early April 2025, Oracle shifted approach. The company began reaching out to customers privately, acknowledging an incident involving its legacy Gen 1 servers and clarifying that the compromised infrastructure was separate from its newer Gen 2 Oracle Cloud Infrastructure (OCI) environment. Oracle maintained that no complete PII was exposed and that the most recent data in the breach was at least 16 months old. Those qualifications have been disputed by affected organisations reviewing their own leaked records.

Recommended Actions

• If you are an Oracle Cloud customer, rotate all SSO and LDAP credentials immediately. Do not wait for Oracle to formally confirm the scope of the breach. Treat any credential that touched Oracle's identity systems as potentially compromised.
• Reset authentication between Oracle and any connected identity provider - including Okta, Microsoft Azure, and Entra. Disable any "Break Glass" emergency access accounts and reissue them with new credentials and tighter audit logging.
• Audit your own exposure to CVE-2021-35587. If you run any Oracle Fusion Middleware environment - on-premise or hosted - verify patch status immediately.
• Inventory and retire legacy infrastructure that is still internet-facing. Systems running decade-old software stacks should not be handling live authentication.
• Monitor for downstream credential abuse. Encrypted SSO and LDAP passwords can be cracked offline. Organisations should watch for unusual authentication patterns and treat any anomalous access to cloud resources as a potential indicator of post-breach exploitation.