Threat actor in Oracle Cloud breach may have gained access to production environments - Cybersecurity Dive

DIVE BRIEF Threat actor in Oracle Cloud breach may have gained access to production environments Researchers from CloudSEK are analyzing a data sample from a threat actor that claimed a massive breach involving 6 million records. Published March 27, 2025 David Jones Reporter Share License Add us on Google Oracle’s Silicon Valley corporate headquarters in Redwood, California, pictured on Sept. 9, 2019. The technology company activated its first Oracle Database@AWS integration Monday. Getty Images Dive Brief: Security researchers are analyzing a 10,000-line dataset provided by a hacker who claimed to have breached Oracle Cloud. The threat actor claimed to have 6 million Oracle Cloud records, which may have impacted more than 140,000 tenants. The sample being analyzed has information on about 1,500 organizations, which, if confirmed, would underscore the breadth of the exfiltrated data, according to researchers at CloudSEK.  There is evidence that indicates the hacker gained access to production environments based on the formatting of tenant IDs, according to researchers. Dive Insight: Oracle previously denied the claims of a breach, and it has not responded to numerous requests for comment by Cybersecurity Dive.  As previously reported, a hacker identified as rose87168 claimed credit for the incident, which they said was done by exploiting a vulnerability in Oracle Cloud’s login endpoint.  The alleged breach involved CVE-2021-35587, a vulnerability in the Oracle Access Manager product of Oracle Fusion Middleware. The vulnerability, with a CVSS score of 9.8, allows an unauthenticated attacker with network access via HTTP to compromise Oracle Access Manager.  CloudSek plans to release additional findings on the threat actor sample, but it said existing evidence points to the sample being authentic and without any test or dummy data.  Researchers said the dataset contains numerous individual email addresses, which point to organizations allowing or using SSO-based authentication. Add us on Google Share PURCHASE LICENSING RIGHTS Filed Under: Vulnerability, Threats