Oracle contradicts company’s Oracle Cloud data breach

Oracle wasn’t breached by a threat actor who claims to have stolen over 6 million data records from the company’s Oracle Cloud federated SSO login servers.

“There has been no breach of Oracle Cloud. The published credentials are not for the Oracle Cloud. No Oracle Cloud customers experienced a breach or lost any data,” the tech company told BleepingComputer.

The statement was issued after a threat actor called rose87168 published a message on a popular cybercrime forum on the dark web, claiming he stole data from around 6 million users from Oracle Cloud’s SSO platform.

In addition, the hacker said he managed to lay his hands on encrypted SSO passwords, Java Keystore (JKS) files, key files, enterprise manager JPS keys, and Lightweight Directory Access Protocol (LDAP) hashed passwords.

The attacker told BleepingComputer he was able to gain access to Oracle Cloud servers approximately 40 days ago.

He said he emailed the company after exfiltrating data from the US2 and EM2 cloud regions. The hacker demanded 100,000 XMR, or roughly €19,8 million, for information on how he breached the servers. According to the threat actor, Oracle refused to pay after asking for “all information needed for fix and patch.”

When asked how he was able to breach the Oracle Cloud servers, he said that the company used servers containing a vulnerability with a public CVE flaw that doesn’t currently have a public proof of concept (PoC) or exploit.

To prove he had access to Oracle Cloud servers, the threat actor shared a URL with BleepingComputer, showing an Internet Archive URL indicating he uploaded a .txt file containing the company’s ProtonMail email address to the login.us2.oraclecloud.com server.

The tech site reached out to Oracle to explain how the attacker could have uploaded a text file containing their email address without having access to Oracle Cloud servers. Oracle hasn’t responded to this request.