Massive Oracle Cloud Breach Compromises 6 Million Records, Over 140,000 Businesses At Risk, Says CloudSEK

In a massive supply chain cyberattack, Oracle Cloud has been targeted by a threat actor, compromising 6 million records and putting over 140,000 tenants (businesses that have their environment on a cloud database) across multiple regions and industries at risk.

The attack, which has compromised files and passwords, was discovered on March 21 by cybersecurity company CloudSEK, which called it the “biggest supply chain hack of 2025.” According to CloudSEK, a threat actor known as “rose87168” is selling 6 million records online, extracted from Oracle Cloud’s Single Sign-On (SSO) and Lightweight Directory Access Protocol (LDAP) systems.

To increase the scale of the attack, the threat actor has even made an X page, where it is following accounts connected to Oracle in order to harass or follow their targets.

The threat actor, active since January 2025, is not only peddling this sensitive information online but also soliciting help to decrypt the stolen credentials while demanding ransom from affected companies for data removal.

The breach was traced to the endpoint “login.(region-name).oraclecloud.com,” reportedly used for signing into the Oracle account. The breach involves a dataset containing Java KeyStore (JKS) files, encrypted SSO passwords, key files, and Enterprise Manager JPS keys. 

CloudSEK’s investigation indicates that the threat actor used an undisclosed vulnerability in Oracle Weblogic Server to exploit login endpoints for all regions pertaining to oraclecloud.com. Despite the actor’s lack of prior history, their advanced techniques suggest a high level of sophistication. 

The exposure of 6 million records threatens organisations with mass data leaks, unauthorised access, and corporate espionage. If the encrypted SSO and LDAP passwords are cracked, attackers could infiltrate Oracle Cloud environments further, amplifying the risk. The breach also introduces supply chain vulnerabilities, as compromised JKS and key files could allow attackers to compromise interconnected systems. 

The stakes are massive for businesses: more than 140,000 impacted tenants are under financial and reputational strain as a result of extortion demands from “rose87168.” 

CloudSEK has assigned the threat a “High” severity rating due to its scale and potential for widespread damage.

CloudSEK has outlined critical steps to mitigate the fallout, including credential resets, launching forensic probes to uncover any unauthorised access and halt further exploitation, monitoring the dark web for information about leaked data, and enforce strict access controls.

The company has also urged organisations leveraging Oracle Cloud to take immediate action to assess and mitigate their exposure.