A sophisticated supply chain hack targeting Oracle Cloud has exfiltrated a staggering 6 million records.
CloudSEK’s XVigil uncovered that threat actor “rose87168” began selling the stolen data on March 21. The breach, exploiting a vulnerability in Oracle’s cloud infrastructure, now endangers over 140,000 tenants and has raised serious questions about cloud security practices.
Incident discovery and exploitation
According to CloudSEK’s analysis, the threat actor claimed to have breached the subdomain login.us2.oraclecloud.com — an endpoint once hosting Oracle Fusion Middleware 11G. The initial access was gained by hacking the login endpoint (login.(region-name).oraclecloud.com), where sensitive single sign-on (SSO) and LDAP credentials were stored.
The compromised database contains approximately 6 million lines of data, including critical assets such as JKS files, encrypted SSO passwords, key files, and enterprise manager JPS keys. The attacker even offered an incentive to those who could help decrypt or crack these credentials and has been actively reaching out to affected organizations demanding a “fee” to remove their data.
Vulnerability analysis and exploit details
- The breach appears to be linked to a well-known vulnerability — CVE-2021-35587 — which affects Oracle Access Manager (OpenSSO Agent) in Oracle Fusion Middleware.
- According to FOFA data, the vulnerable endpoint, last updated on Sept. 27, 2014, allowed an unauthenticated attacker network access via HTTP.
- This easily exploitable flaw enabled a complete compromise of Oracle Access Manager, underscoring how outdated configurations and poor patch management can lead to large-scale security failures.
- The fact that the affected subdomain was captured on the Wayback Machine in February 2025 further points to the longstanding vulnerability present in legacy Oracle systems.
Expert analysis and the broader cybersecurity context
Cybersecurity analysts have long warned that the rapid adoption of cloud technologies can outpace the implementation of necessary security frameworks. This incident reinforces that message.
Experts argue that cloud services offer scalability and flexibility but introduce complex security challenges that require continuous vigilance and proactive defense strategies.
The consequences of this breach are severe. Beyond mass data exposure, there are heightened risks of credential compromise, corporate espionage, and potential extortion.
Organizations now face additional challenges: besides safeguarding sensitive data, they must contend with possible ransom demands from threat actors. Immediate mitigation measures include:
- Resetting passwords, particularly for privileged LDAP accounts.
- Rotating tenant-level credentials.
Affected organizations should also regenerate certificates and secrets linked to compromised configurations, audit logs for unusual activity, and implement enhanced monitoring.
Explore the best database security solutions to protect your sensitive business and customer data from unauthorized access.
