Oracle Denies Cloud Breach Despite Growing Evidence

Oracle is continuing to reject claims of a breach in its cloud infrastructure, even as multiple security experts present evidence suggesting otherwise. This ongoing dispute is raising concerns among Oracle customers about whether they should take proactive security steps or trust the company's reassurances.

Disputed Allegations

On March 21, threat intelligence company CloudSEK reported that a hacker, identified as "rose87168," was attempting to sell approximately 6 million records linked to 140,000 Oracle Cloud tenants. These records reportedly included single sign-on (SSO) and LDAP credentials, as well as tenant-specific data such as user accounts, settings, and content. CloudSEK’s investigation indicated that the hacker may have exploited a vulnerability in Oracle's cloud environment, but the attacker claimed to have used a specific flaw in Oracle's Fusion Middleware (CVE-2021-35587).

Despite these claims, Oracle has strongly denied that any breach took place, stating that the credentials published by the hacker did not belong to Oracle Cloud and asserting that no customers experienced data loss. Oracle's spokesperson, Julia Allyn Fishel, reiterated this stance on March 28, denying the breach in an email response.

Competing Evidence

CloudSEK updated its findings on March 25, sharing a 10,000-line sample of the alleged stolen data. This sample contained information linked to over 1,500 organisations, which CloudSEK believes points to a major breach. The structured format of the data, such as "tenant-dev" and "tenant-test," suggested the hacker had access to Oracle’s production environments. This level of detail has made it difficult for experts to dismiss the claims as fabrications. According to CloudSEK's Shashank Shekhar, some of the data, including encrypted passwords and LDAP configurations, was validated with affected customers, strengthening the belief that a breach occurred.

Oracle’s continued denial of the breach has raised concerns that affected organisations may not take necessary actions, such as rotating passwords, which could leave them vulnerable to further attacks, including supply chain risks. Shekhar recommends immediate password changes, starting with admin accounts.

Security firm SOCRadar conducted its own analysis and came to similar conclusions. While the sample sicye wasn't large enough to confirm the breach on its own, the data contained detailed, credible information consistent with Oracle Cloud user data. SOCRadar's CISO, Ensar Seker, expressed concern that Oracle’s refusal to acknowledge the breach could exacerbate risks, leaving organisations without clear guidance or notification of potential exposure.

Lack of Transparency Raises Concerns

The ongoing silence from Oracle has puzzled cyber security experts. Ekrem Celik, a researcher at Black Kite, speculates that the breach may have been limited to Oracle’s legacy systems or peripheral environments, such as login endpoints, rather than its core cloud infrastructure. This could explain why Oracle continues to deny a breach while still possibly addressing the issue internally.

Celik also pointed to the reputational and legal risks involved in confirming a breach, suggesting that Oracle may be hesitant to acknowledge it due to regulatory implications and the potential damage to customer trust. However, he emphasised that Oracle's lack of transparency leaves its customers in a difficult position, unsure of whether their data is at risk or how to respond.

According to Seker, the uncertainty caused by Oracle’s communication breakdown means customers may delay necessary remediation steps like credential resets or access audits, increasing their vulnerability to further threats. “When vendors fail to communicate promptly and clearly, it can lead to wider risks across the technology supply chain,” he said.

Growing Evidence of Breach

Adding further weight to the claims of a breach, Trustwave analysed the leaked data, finding markers that clearly identified accounts with elevated permissions and access to sensitive data, accounts that were active or inactive, accounts with admin access, and other contextual data that would allow an attacker to prioritise targets effectively. Trustwave’s analysis also found that the list of affected companies comprised 128,466 unique domain names.

"This leak is a serious breach of identity and privilege-related security, underscoring the need for timely de-provisioning, password hygiene, and multi-factor authentication," Trustwave researchers Nikita Kazymirskyi and Karl Sigler wrote in a blog post. They warned that the exposure of sensitive records could serve as a direct entry point for ransomware deployment, data exfiltration, or long-term espionage.

Cyber Security Compliance Implications

Any exposure of personally identifiable information (PII) and passwords could trigger compliance requirements under statutes like the General Data Protection Regulation (GDPR) and the Health Insurance Portability and Accountability Act (HIPAA) for covered organisations. If the breach indeed occurred, the primary concerns include attackers leveraging stolen data to infiltrate cloud environments, escalating privileges to administrative control, and reusing credentials for lateral movement across affected organisations.

How to Protect Oracle Cloud Accounts

Liran Farazis, global enterprise security manager at Sygnia, recommends that organisations that find themselves on the list should take immediate measures to protect themselves.#

The measures, which Sygnia documented in a recent blog post, include resetting all credentials in Oracle Cloud SSO, LDAP, or encrypted configuration files; invalidating existing sessions and tokens; and reviewing access logs, authentication records, and application behaviour across Oracle Cloud components. "Reviewing this data helps identify unusual activity, such as failed login attempts, session anomalies, or unauthorised changes," Sygnia said. The vendor also recommends that potentially affected organisations rotate all cryptographic keys and secrets and implement continuous monitoring of the affected environment.

Trustwave had similar advice for potentially affected organisations: Force password resets, enforce multifactor authentication for all systems, regenerate SSO/SAML/OIDC secrets, and audit and revoke dormant and unused accounts. The company suggests that organisations isolate and monitor critical systems, especially if the exposed credentials provided access to them.

A Broader Problem

This incident highlights a key issue in modern cyber security: risk doesn’t just come from technical vulnerabilities, but also from how quickly and effectively vendors respond to security incidents. Oracle's delay in addressing the breach and its lack of transparency have made it harder for affected organisations to respond in a timely and informed way. This only increases the overall risk to both Oracle and its customers.

In situations like these, clear communication and rapid action are critical to minimising potential damage and restoring trust within the wider ecosystem.