Last week, a cybercriminal took to the BreachForums to claim responsibility for the Oracle Cloud hack. On the criminal forum, the hacker claimed to have compromised Oracle servers and stolen 6 million data records. To prove his claim, the hacker uploaded several samples and sent a series of evidence to our colleagues at Bleeping Computer. He claims the hack occurred between February 9 and 15, 2025, and that only one server was affected.
Despite the evidence provided by the hacker, Oracle strongly denies that it was the victim of a cyberattack. The American group assures that there has been "no breach of Oracle Cloud" and that no "Oracle Cloud customer has experienced a breach or lost data.".
A leak that is confirmed
A few days after the events, the specialized media was able to corroborate the veracity of the data provided by the cybercriminal to several companies that use Oracle Cloud. The data samples shared on BreachForums are indeed authentic.
The companies surveyed confirmed that the Lightweight Directory Access Protocol (LDAP) display names, email addresses, first names, and other identifying information were correct and belonged to them. This is also the opinion of researchers at CloudSEK, who discovered the breach on March 21, 2025.
A serious security incident
For researcher Clément Domingo, it is safe to say that "Oracle Cloud is the victim of the largest cyberattack in its history." The data leak would affect "140,000 companies worldwide." around the world»,according to the seller's claims on BreachForums. The hacker, who operates under the alias rose87168, has in fact posted the complete list of affected companies online.
CloudSEK researchers say the hacker exploited a critical vulnerability in the code of Oracle Access Manager (OAM), a core component of the Oracle Identity and Access Management (IAM) suite. By exploiting this vulnerability, he was able to compromise Oracle Access Manager.
Data for Sale
The hacker initially requested a ransom of more than $22 million from Oracle. The attacker claims to have sent an email stating that he had "dug into the cloud dashboard infrastructure and found a massive vulnerability that gave me complete access to information on 6 million users.".
The company reportedly refused to negotiate. While Oracle has yet to confirm or deny The cybercriminal put all the information obtained during the attack up for sale on the black market. He specifies that "companies can pay a specific amount to remove their employees' information from the list before it is sold.".
As Clément Domingo points out, data can be used to steal employees' identities via compromised credentials, access sensitive company data, launch supply chain attacks, or even execute ransomware attacks.
Source: Bleeping Computer
0 Comments