The alleged Oracle Cloud breach, discovered in March 2025, involved the exfiltration of approximately 6 million records affecting over 140,000 tenants1. The threat actor, known as “rose87168,” claimed to have exploited a vulnerability (CVE-2021-35587) in Oracle’s cloud login infrastructure, specifically targeting the endpoint login.(region-name).oraclecloud.com2. The compromised data reportedly includes Java Key Store (JKS) files, encrypted SSO and LDAP passwords, and Enterprise Manager JPS keys12. Despite Oracle’s denial of the breach, multiple customers have confirmed to BleepingComputer that data samples shared by the attacker are valid3, and independent security researchers have corroborated the incident’s authenticity45.

Citations:

1. https://www.esecurityplanet.com/trends/oracle-cloud-breach-6m-records-140k-tenants-risk/
2. https://orca.security/resources/blog/oracle-cloud-breach-exploiting-cve-2021-35587/
3. https://www.bleepingcomputer.com/news/security/oracle-customers-confirm-data-stolen-in-alleged-cloud-breach-is-valid/
4. https://www.acaglobal.com/insights/six-million-records-potentially-compromised-oracle-cloud-breach
5. https://blackkite.com/blog/oracle-cloud-breach-claims-denials-and-the-reality-of-cloud-security-risks-in-tprm/