Home > Security > Security News

Oracle Cloud Data Breach Validated by Security Experts, Affecting Over 140,000 Tenants

Published on March 26, 2025
Written by:
Lore Apostol
Lore Apostol
Cybersecurity & Streaming Writer

Cybersecurity researchers say a significant breach affected Oracle Cloud, reportedly involving over six million records. An investigation by cybersecurity firm CloudSEK challenges Oracle’s earlier denial of any compromise. 

The breach allegedly exposed sensitive Single Sign-On (SSO) and Lightweight Directory Access Protocol (LDAP) credentials, OAuth2 keys, and customer tenant information. Proven real, the breach poses a serious threat of supply chain attacks on affected organizations.

CloudSEK’s XVigil platform first flagged the breach on March 21, 2025, when a user named “rose87168” posted on BreachForums, offering the compromised records for sale. The breach took place approximately 40 days before.

Threat actor's BreachForums' profile
Threat actor's BreachForums' profile | Source: SOC Radar

A thorough investigation by CloudSEK confirmed the use of a compromised production SSO endpoint, login.us2.oraclecloud.com, affecting real customer data and indicating production access rather than test environments.  

Key findings in CloudSEK’s report reveal real evidence, authentic customer data, and the exposure scope.

Screenshot of the text file uploaded by the threat actor on the endpoint login.us2.oraclecloud.com
Screenshot of the text file uploaded by the threat actor on the endpoint login.us2.oraclecloud.com | Source: CloudSEK

Manual reviews and corroborations showed consistent authentication credentials and functionality related to Oracle’s SSO endpoint beyond mere test environments. CloudSEK also verified attacker claims using archival public data and GitHub repositories referencing Oracle’s SSO setups.

Domains such as nucor-jfe.com and sbgtv.com, listed in the leaked sample by the attacker, matched live configurations across public repositories. Notably, these domains were used in production environments, raising the stakes of this compromise.

A 10,000-line sample released by the attacker affected 1,500+ unique organizations, lending credence to the breach’s authenticity. Compromised records also included email addresses.

Oracle categorically denied any breach in an initial response, asserting that “there has been no breach of Oracle Cloud.” The cybersecurity community has since scrutinized this claim, citing extensive evidence provided by CloudSEK and its independent validation efforts. 

Add a Comment
Related
Data Breach
Threat Actor Claims to Breach Endesa, Allegedly Compromising Millions of Customer Records
SpyX Data Breach Exposes Nearly 2 Million Users' Information, Including Apple Customers
Ransomware Illustration
RansomHub Group Claims Breach of O'Neill Website, Stealing 25GB Trove of Legal Data 
Open padlock surrounded by locked padlocks
Qilin Hacking Group Claims Responsibility for Breach at SMC Corporation's European Branch 
amazon
Cloud Providers AWS and Cloudflare Questioned About Alleged Monitoring App Data Storage
Data Breach
FunkSec Hacking Group Claims Breach of UNIMORE University's Systems
Most Popular
The White Lotus
The White Lotus Season 3: Did Episode 1 Hint at the Deaths of These 2 Characters?
Romance Baiting Scams
US DOJ Seizes Over $8 Million in Cryptocurrency Tied to 'Romance Baiting' Scams
BlackSuit Ransomware Fake Zoom Installer
Fake Zoom Installer Deploys BlackSuit Ransomware in Enterprise-Targeted Attack
Stacey & Joe
Stacey & Joe: Everything you need to Know About Stacey Solomon & Joe Swash’s Reality TV show
MobLand
MobLand Series 2025: Episode 1 Explained, Episode Guide, and Where to Watch
Vivaldi Proton VPN Integration
Vivaldi Integrates Proton VPN with its Desktop Browser to Offer Free VPN Protection
The White Lotus Season 3: Did Episode 1 Hint at the Deaths of These 2 Characters?
US DOJ Seizes Over $8 Million in Cryptocurrency Tied to 'Romance Baiting' Scams
Fake Zoom Installer Deploys BlackSuit Ransomware in Enterprise-Targeted Attack
Stacey & Joe: Everything you need to Know About Stacey Solomon & Joe Swash’s Reality TV show
MobLand Series 2025: Episode 1 Explained, Episode Guide, and Where to Watch
Vivaldi Integrates Proton VPN with its Desktop Browser to Offer Free VPN Protection

Most Popular
The White Lotus
The White Lotus Season 3: Did Episode 1 Hint at the Deaths of These 2 Characters?
Romance Baiting Scams
US DOJ Seizes Over $8 Million in Cryptocurrency Tied to 'Romance Baiting' Scams
BlackSuit Ransomware Fake Zoom Installer
Fake Zoom Installer Deploys BlackSuit Ransomware in Enterprise-Targeted Attack
Stacey & Joe
Stacey & Joe: Everything you need to Know About Stacey Solomon & Joe Swash’s Reality TV show
MobLand
MobLand Series 2025: Episode 1 Explained, Episode Guide, and Where to Watch
Vivaldi Proton VPN Integration
Vivaldi Integrates Proton VPN with its Desktop Browser to Offer Free VPN Protection
The White Lotus Season 3: Did Episode 1 Hint at the Deaths of These 2 Characters?
US DOJ Seizes Over $8 Million in Cryptocurrency Tied to 'Romance Baiting' Scams
Fake Zoom Installer Deploys BlackSuit Ransomware in Enterprise-Targeted Attack
Stacey & Joe: Everything you need to Know About Stacey Solomon & Joe Swash’s Reality TV show
MobLand Series 2025: Episode 1 Explained, Episode Guide, and Where to Watch
Vivaldi Integrates Proton VPN with its Desktop Browser to Offer Free VPN Protection

© 2025 TechNadu, a part of Leaprove Media LLP. All Rights Reserved.

Close lightbox
Facebook
Twitter
Linkedin
Reddit
Email
Copy Link
For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: