Massive Oracle Cloud Breach Hits Over 140,000 Tenants: 6 Million Records Leaked in 2025 Supply Chain Attack
March 30, 2025 — A major supply chain breach has rocked Oracle Cloud, with over 6 million sensitive records reportedly exfiltrated and more than 140,000 tenants impacted. Cybersecurity firm CloudSEK has confirmed the breach, uncovering that the data was stolen via a suspected vulnerability affecting Oracle’s login infrastructure.
The attacker, known by the alias “rose87168”, surfaced on the dark web offering the stolen data for sale and coercing affected organizations to pay a fee for its removal.
Key Findings
-
Attack Vector: Likely via a legacy Oracle Cloud subdomain,
login.us2.oraclecloud.com, exploiting a known but previously unexploited vulnerability in Oracle Access Manager (CVE-2021-35587). - Data Exfiltrated: Includes Java KeyStore (JKS) files, encrypted SSO credentials, key files, and enterprise manager JPS keys.
- Exposure Scope: 140,000+ Oracle Cloud tenants across various regions and sectors.
- Threat Actor Behavior: Offers incentives for decrypting SSO credentials and is actively promoting the breach on platforms like X (formerly Twitter).
- Initial Breach Date: Traced back to January 2025.
Vulnerability Details
The suspected exploit centers on CVE-2021-35587, a critical vulnerability in older versions of Oracle Fusion Middleware’s Access Manager component. Although this CVE has been known since 2021, its exploitation at scale has only now been observed.
The compromised Oracle subdomain was last captured on the Wayback Machine in February 2025 and appears to have hosted outdated middleware from 2014.
Risks for Organizations
- Mass Credential Compromise: Exposure of SSO and LDAP credentials may facilitate lateral movement and access to connected enterprise systems.
- Financial and Reputational Damage: Ransom demands and potential leaks raise extortion and compliance concerns.
- Supply Chain Vulnerability: The breach could ripple through interconnected platforms, exposing downstream partners and clients.
- Zero-Day Concerns: The threat actor hints at using an undisclosed vulnerability, underlining the need for robust patch management.
What You Should Do Now
Immediate Actions:
- Reset LDAP/SSO Passwords: Especially for privileged accounts.
- Rotate Keys and Secrets: Replace any impacted certificates or credentials tied to SAML, OIDC, or LDAP.
- Enable MFA: Enforce strong authentication methods organization-wide.
Audit & Monitoring:
- Review authentication logs for anomalies.
- Monitor for signs of unauthorized access or internal abuse.
- Implement continuous threat detection solutions.
Incident Response:
- Engage with Oracle Security immediately.
- Conduct full forensic analysis.
- Monitor dark web sources for mentions of your organization.
Check Exposure: 🔗 Scan your organization for Oracle Cloud exposure here
About the Threat Actor
- Alias: rose87168
- Active Since: January 2025
- Forum Reputation: New account, but high sophistication in tactics
- Current Status: Active and escalating
Final Thoughts
This breach marks one of the largest supply chain attacks of 2025 so far, underscoring the urgent need for organizations to re-evaluate their cloud security posture, vulnerability management practices, and third-party risk frameworks.
CloudSEK continues to monitor the situation and urges all Oracle Cloud users to verify their exposure, implement immediate mitigations, and coordinate with Oracle for potential patch deployment.
Stay ahead of breaches. Proactively monitor your digital footprint with platforms like CloudSEK XVigil and prepare for what’s next.