Oracle Cloud Data Breach: CloudSEK Confirms Attack, Compromise Of 6 Million Records In New Report

In a follow-up investigation to the Oracle Cloud data breach, cybersecurity firm CloudSEK has released evidence confirming the exposure of sensitive enterprise data. The confirmation follows Oracle’s denial of any breach, even as a threat actor claiming responsibility is actively selling 6 million records allegedly exfiltrated from Oracle Cloud infrastructure.

CloudSEK’s investigation was launched on March 21, after its threat intelligence platform detected a threat actor, identified as “rose87168,” offering 6 million records for sale—data allegedly exfiltrated from Oracle Cloud’s Single Sign-On (SSO) and Lightweight Directory Access Protocol (LDAP) systems.

The threat actor claimed they gained access through the login endpoint “login.(region-name).oraclecloud.com", a central login authentication system used by Oracle Cloud tenants (organisations having their environment on a cloud database).

The breach, reportedly affecting over 140,000 organisations across multiple regions and industries, highlights critical vulnerabilities in cloud infrastructure and raises urgent questions about enterprise security. 

Oracle responded to the initial disclosure with a statement to Bleeping Computer: “There has been no breach of Oracle Cloud.” However, CloudSEK’s analysis and the threat actor’s evidence align with their claim that the SSO server was active weeks before the breach surfaced.

“We’re driven by transparency and evidence, not speculation,” said Rahul Sasi, CEO and co-Founder of CloudSEK. “This follow-up report equips the community and Oracle with facts to investigate and mitigate this threat responsibly.”

CloudSEK also said it has released a free tool to help organisations check if they’re among the affected tenants. It also plans to release additional details in the coming days to aid Oracle and the cybersecurity community in investigating and mitigating this incident. 

According to CloudSEK, the breach’s impact is profound:

• Mass Exposure: 6 million records, including authentication data, heightened risks of unauthorised access, and espionage.

• Credential Threats: Encrypted passwords could unlock further breaches if cracked.

• Ransom: The actor is demanding ransoms to remove data, pressuring affected firms.

• Zero-Day Risk: A suspected unpatched vulnerability suggests deeper security flaws.

• Supply Chain Fallout: Exposed files could enable attacks on interconnected systems.

CloudSEK’s investigation zeroes in on three key findings:

Production SSO Role Confirmed: An archived GitHub repository from Oracle’s official “oracle-quickstart” account features a script (mpapihelper.py) using login.us2.oraclecloud.com for OAuth2 token generation. This endpoint authenticated API requests for the Oracle Cloud Marketplace, proving its production use. OneLogin and Rainfocus documentation further validate its role in live SSO setups.

Real Users’ Exposure: Domains like sbgtv.com, nexinfo.com, cloudbasesolutions.com, nucor-jfe.com, and rapid4cloud.com—found in public GitHub repositories and Oracle partner guides—match the attacker’s leaked tenant list. These are not dummy accounts but Oracle Cloud users, underscoring the breach’s scope.

Operational Legitimacy: The server’s SSO functionality is reinforced by its use in SAML configurations (OneLogin) and Identity Provider metadata retrieval (Rainfocus), aligning with Oracle’s production deployment model: [identity-domain].login.us2.oraclecloud.com.