Oracle Cloud platform Data Breach

On March 25, 2025, threat actor Rose87168 posted on a cyber incident forum confidential data stolen from Oracle Cloud customers, claiming to possess millions of records linked to more than 140,000 Oracle Cloud users, including encrypted credentials. The hacker released 10,000 customer records, a file showing Oracle Cloud access, user credentials and an internal video as evidence.

The actor, active since January 2025, has demanded payments from affected companies to remove the breached data. He initially tried to extort $20 million from Oracle, but later offered the stolen data for sale or in exchange for alleged zero-day exploits.

Oracle has denied the threat actor's claims, asserting that there was no Oracle Cloud security breach and that the leaked credentials were unrelated. The company assured that no customer data was compromised. However, several media outlets reported that several companies have confirmed to them that the leaked Oracle data is authentic and includes LDAP names, emails and other records. For its part, cybersecurity firm Cloudsek, noted that there was a vulnerable version of Oracle Fusion Middleware running on the compromised server. Oracle has since taken the server offline.

Finally, while FBI and CrowdStrike are investigating the incident, it has been detected that Oracle has been privately notifying its customers of a breach affecting usernames, passwords and encrypted passwords. Researchers claim that Oracle has only sent verbal notifications of the leak to its cloud customers, with no written communication.