What Oracle’s Massive Cloud Data Breach Reveals About Cloud Security Risks

Recently, Oracle faced a major cloud security crisis. On March 20, a hacker known as “rose87168” claimed to have breached at least two Oracle Cloud customers’ login systems, stealing about six million records, including encrypted SSO passwords, LDAP passwords, and security certificates.

Oracle quickly denied the allegations, stating the credentials were not from Oracle Cloud and that no customers experienced data loss. However, mounting evidence contradicts this denial, and the FBI has opened an investigation into the breach’s scope and impact.

1. Hacker Sells Data and Initiates Extortion, First Class Action Filed

The hacker is selling the stolen data on the dark web while demanding ransom from affected companies to delete the data from sale listings. He has also created an X account to monitor Oracle‑related accounts and offers to verify and remove compromised data for a fee.

According to the hacker, the breach affects 140,000 Oracle Cloud tenants, including over 1,000 Chinese entities with “.cn” domains and more than 2,100 German companies with “.de” domains, indicating a potentially global impact.

On March 31, the law firm Shamis & Gentile filed a class‑action lawsuit in Florida on behalf of Michael Toikach and over 100 victims, accusing Oracle of failing to notify them of the breach despite its privacy policy promising prompt disclosure.

2. Evidence Shows Decade‑Old Software as an Attack Vector

The hacker also provided a sample of 10,000 rows of data to security firm Hudson Rock’s CTO Alon Gal, confirming the authenticity of the stolen information.

Additionally, a more than one‑hour internal Oracle meeting recording was released, discussing access to internal password stores and customer‑facing systems.

Digital forensics revealed the compromised servers run Oracle Fusion Middleware 11g, which has not been updated since September 2014. The attack likely exploited CVE‑2021‑35587, a vulnerability in Oracle Access Manager that allows unauthenticated HTTP access; a patch was issued in early 2022.

Security firm CloudSEK verified that the breach involved Oracle’s SSO service, potentially affecting thousands of tenants.

3. Oracle’s Attempts to Obscure the Incident

Security experts Kevin Beaumont and Jake Williams noted that Oracle appears to have used the Internet Wayback Machine’s exclusion feature to delete evidence and has rebranded “Oracle Cloud” as “Oracle Classic” to distance the incident from its current cloud offering.

A text file left by the hacker on an Oracle production login system, containing the hacker’s private email address, was indexed by the Wayback Machine but later removed at Oracle’s request. The file can still be accessed via a modified URL on the archive.

Oracle’s lack of transparency and delayed patching have drawn criticism, with experts urging customers to verify whether they were affected and to strengthen their security measures.