Oracle Cloud Security Incident: 6 Million Records Exposed
2025-03-23
On March 21, 2025, CloudSEK's XVigil discovered a threat actor, "rose87168," selling 6 million records exfiltrated from Oracle Cloud's SSO and LDAP. The data includes JKS files, encrypted SSO passwords, key files, and enterprise manager JPS keys. The attacker, active since January 2025, is demanding payment for data removal. CloudSEK assesses this threat as medium confidence and high severity. Investigation suggests a potential vulnerability on login.(region-name).oraclecloud.com. Immediate security measures, including password resets, SASL hash updates, and certificate regeneration, are recommended.