CloudSEK recently uncovered a major breach allegedly targeting Oracle Cloud, in which six million records were exfiltrated. A threat actor known as “rose87168” was found attempting to sell this data – from more than 140,000 tenants – which included encrypted SSO credentials, key files, and Oracle Enterprise Manager JPS keys. The actor even offered financial rewards to anyone able to decrypt the SSO passwords or crack the LDAP credentials, highlighting the severity of the compromise.
The breach appears tied to an archived Oracle Cloud subdomain – login.us2.oraclecloud.com – which reportedly hosted files uploaded by the attacker. The suspected point of entry: an outdated Oracle Fusion Middleware server still vulnerable to CVE-2021-35587, a critical flaw in Oracle Access Manager (OAM) first disclosed in 2021.
Despite the availability of a patch, CloudSEK’s findings suggest that the vulnerability remained exploitable in Oracle’s cloud infrastructure, reinforcing the danger of unpatched enterprise software, especially in public-facing cloud systems.
Since January 2025, rose87168 has established a reputation as a technically sophisticated threat actor operating within high-stakes cybercrime circles. They’ve been linked to multiple breaches targeting outdated enterprise infrastructure, often backing up claims with proof-of-concept materials. Their tactics demonstrate deep knowledge of enterprise tech stacks as well as a methodical approach to exploiting misconfigurations and legacy systems.
Beyond these exploits, rose87168 is active on dark web forums where they continue to publicize their techniques, make ransom demands, and promote stolen data. Their ability to combine technical prowess with cybercriminal marketing has only increased their overall threat profile. This dual role of hacker and extortionist presents new challenges for organizations navigating a growing number of threats today.
Oracle’s Response and Controversy
Oracle formally denied the breach, stating that no customer environments were compromised and characterizing the findings as inaccurate. However, Oracle provided limited technical proof to counter its claims, and its statement has drawn criticism from the security community. Experts argue that Oracle’s dismissal fails to account for specific and verifiable evidence, including those attacker-uploaded files on the Oracle-controlled domain.
Security analyst Jake Williams raised concerns about Oracle’s position, emphasizing the need for more transparency. Other experts agree. “Jake Williams raises a critical point,” said Chad Cragle, CISO at Deepwatch. “This indicates unauthorized access, even if it wasn’t a full-scale compromise. Dismissing the incident without addressing this key detail raises more questions than answers.”
Implications for Oracle Cloud Customers
Whether or not Oracle acknowledges a full breach, the incident raises the possibility of new risks for customers. For example, the presence of attacker files on a publicly accessible subdomain and the exploitation of a known CVE clearly shows how easily overlooked vulnerabilities can have cascading consequences.
Organizations hosting sensitive workloads in Oracle Cloud would be wise to review patching procedures, assess their potential exposure, and demand greater transparency.
Lessons for Enterprise Cloud Security
This case serves as a stark reminder that cloud security is a shared responsibility. Enterprises must ensure their vendors are following best practices for vulnerability management while maintaining their own layers of defense, such as continuous monitoring, threat intelligence, and incident response planning.
“This incident highlights the importance of continuously monitoring third-party platforms, ensuring regular patching of middleware components, and validating federated identity infrastructure configurations,” said Heath Renfrow, CISO and Co-Founder at Fenix24. “Supply chain and cloud identity are increasingly attractive attack surfaces, and it is vital that all organizations using shared cloud platforms apply a Zero Trust posture to identity and access management.
Even in managed environments, outdated middleware can become a weak link, especially when vendors fail to proactively communicate about potential exposure.
“As more resources move into the cloud, we need to shift our mindset for how we protect them without hindering productivity,” said Rom Carmel, co-founder and CEO at Apono, a provider of privileged access for cloud solutions. “This means embracing intelligent access control methodologies and the agility that automation can provide us to not only make our organizations more secure and resilient but also enable the business to run faster.”
The Need for Transparency and Vigilance
In an era where enterprise data increasingly resides in the cloud, the Oracle breach controversy illustrates the urgent need for transparency from cloud providers and vigilance from their customers. Regardless of whether Oracle’s denial stands up to scrutiny, the presence of credible, independently verified indicators of compromise should prompt meaningful dialogue and proactive security reviews.
“The ongoing investigation into an alleged cyber-attack on Oracle Cloud underscores key security risks that organizations must address and highlights the critical need for timely patching and proactive security measures,” said Patrick Tiquet, Vice President, Security and Architecture at Keeper Security.
For organizations entrusting their operations to cloud platforms, staying informed, demanding accountability, and investing in layered security are essential steps toward mitigating the growing risks of modern cyber threats.
