Despite Oracle’s firm denial of a data breach affecting its cloud services, new evidence suggests its federated Single Sign-On (SSO) system may have been infiltrated. A hacker known as “rose87168” has surfaced on a cybercrime forum, alleging access to Oracle Cloud’s login infrastructure and offering the credentials of nearly six million users, including encrypted passwords and other sensitive information. This claim, first reported by BleepingComputer, has raised alarm in cybersecurity circles.
The issue gained traction when “rose87168” shared purported authentication records from Oracle’s systems, posting multiple text files containing Lightweight Directory Access Protocol (LDAP) records, encrypted passwords, and an extensive list of over 140,000 domains belonging to affected businesses and government entities.
Fueling further speculation, the hacker also provided a link to a file hosted on Oracle’s official “login.us2.oraclecloud.com” domain, featuring their own contact details. This suggests they had the ability to write directly to Oracle’s servers, potentially indicating deeper system access than the company has acknowledged.
Oracle, however, remains resolute in its response. A spokesperson stated, “There has been no breach of Oracle Cloud. The credentials shared do not pertain to Oracle Cloud services. No Oracle Cloud customer data has been compromised.”
This official statement, however, contrasts sharply with findings from independent sources. Some companies identified in the leaked database have confirmed that the exposed details, including LDAP display names and email addresses, are legitimate and linked to their employees.
Further analysis by cybersecurity firm Cloudsek has revealed that the affected Oracle server was running Fusion Middleware 11g as recently as February 2025. This version harbors a known vulnerability (CVE-2021-35587) in Oracle Access Manager, which allows unauthorized entry into protected systems. The hacker claims this specific flaw enabled them to breach Oracle’s infrastructure.
Following public reports, Oracle took the affected login server offline but has yet to clarify whether this action was in response to a breach or part of routine maintenance.
In a separate development, emails purportedly exchanged between the threat actor and Oracle’s security team have surfaced. In one message, the hacker asserted they had accessed six million user records. Another email, allegedly from an Oracle-linked ProtonMail address, hinted at a willingness to discuss the matter privately, raising concerns about the company’s approach to security communications.