Despite Oracle denying a breach of its Oracle Cloud federated SSO login servers, evidence suggests that account data for 6 million users may have been compromised.

Cybersecurity sources, including BleepingComputer, have verified that sample data shared by the alleged attacker matches real company credentials.

Last week, a hacker named rose87168 claimed to have infiltrated Oracle Cloud servers, selling authentication data and encrypted passwords. They also suggested that stolen SSO and LDAP credentials could be decrypted using additional stolen files. The attacker provided database records, LDAP data, and a list of 140,621 domains allegedly affected, including those of companies and government agencies.


Further supporting the claim, the hacker shared an Archive.org URL with BleepingComputer containing a text file stored on Oracle’s login.us2.oraclecloud.com server. This suggests the attacker had the ability to create files within Oracle’s infrastructure, indicating a potential breach.

Oracle has strongly denied the incident, stating, “There has been no breach of Oracle Cloud. The published credentials are not for the Oracle Cloud. No Oracle Cloud customers experienced a breach or lost any data.” However, companies contacted by BleepingComputer confirmed that leaked LDAP display names, emails, and other details were accurate and belonged to them.

Additionally, Kaspersky researchers linked the alleged breach to a known vulnerability, CVE-2021-35587, in Oracle Fusion Middleware 11g, which was reportedly still running on the login.us2.oraclecloud.com server as of February 2025. Oracle has since taken this server offline.

Emails shared by the hacker claimed an individual using a ProtonMail address, allegedly from Oracle, contacted them for further discussions. However, the identity and authenticity of this communication remain unverified.

READ
4chan Hacked: Moderators, Source Code, and User Data Reportedly Leaked

While Oracle has yet to provide further clarification, cybersecurity experts continue to investigate, raising questions about the true scope of the breach and the potential risks for affected users.