Oracle has categorically denied that its Cloud systems have been breached, but sample data made available by the hacker seems to prove otherwise, according to several cybersecurity companies.
A hacker named ‘rose87168’ announced recently on a hacking forum the sale of data associated with over 140,000 Oracle Cloud tenants. The hacker claims to have obtained six million lines of data, including SSO and LDAP passwords.
“There has been no breach of Oracle Cloud,” an Oracle spokesperson told SecurityWeek on Monday. “The published credentials are not for the Oracle Cloud. No Oracle Cloud customers experienced a breach or lost any data.”
However, there appears to be increasing evidence to the contrary. After showing that they were able to upload an arbitrary file to Oracle Cloud systems, rose87168 provided sample data consisting of roughly 10,000 records to several security firms in an effort to demonstrate the hacking claims.
Hudson Rock co-founder and CTO Alon Gal reported on Tuesday that he had received confirmation from several customers using Oracle Cloud that the leaked data is genuine and is associated with a production environment. Some customers said the exposed accounts have access to sensitive data.
One customer told Gal that the leaked data dates to late 2023, but the hacker claims data from 2025 was also compromised.
CloudSEK has also analyzed the sample data and other information provided by the hacker and found evidence indicating that there was some sort of breach of Oracle Cloud systems and real user data was compromised.
“The volume and structure of the leaked information make it extremely difficult to fabricate, reinforcing the credibility of the breach,” CloudSEK noted.
The company has developed a simple online tool that allows organizations to check whether they are impacted by this data breach.
Threat intelligence company Kela has also analyzed the sample data made available by the hacker and told SecurityWeek that it found 1,547 unique domain names (mostly related to private firms) and 1,510 distinct tenant IDs.
The security firm has identified victims across 90 countries, with the highest percentages in the UK, the US, Italy, France and Germany. It also discovered domains associated with governments and related public entities in the US, UK, Italy, Sweden, Norway, Denmark, Finland, Portugal, Belgium, Austria and Brazil.
There is some indication that the attack on Oracle Cloud systems may involve the exploitation of a vulnerability in Oracle’s own products. One likely candidate is CVE-2021-35587, which impacts Oracle Fusion Middleware.
SecurityWeek has reached out to Oracle for comment in light of this new evidence and will update the article as soon as the company responds.
Related: Cisco Confirms Authenticity of Data After Second Leak
Related: OpenAI Finds No Evidence of Breach After Hacker Offers to Sell 20 Million Credentials
Related: HPE Says Personal Information Stolen in 2023 Russian Hack
