Oracle Faces Scrutiny After Alleged Data Breach, Hacker Puts Stolen Data Up for Sale
Oracle is under fire after a hacker claimed to have breached the company’s cloud systems, exfiltrating sensitive data from over 144,000 clients. The breach, which allegedly compromised around 6 million records, was initially denied by Oracle, but subsequent investigations and evidence from cybersecurity experts have raised serious concerns about the company’s handling of the situation.
The hacker, known by the alias Rose87168, claimed to have gained access to Oracle Cloud’s federated Single Sign-On (SSO) servers, stealing a trove of information that includes highly sensitive credentials, such as SSO login details, Lightweight Directory Access Protocol (LDAP) passwords, OAuth2 keys, and tenant data. In addition to threatening to sell the data, Rose87168 sought help from the hacking community to crack the hashed passwords in exchange for a share of the stolen information.
The hacker’s initial post included a sample of the stolen data, which Oracle swiftly denied in a statement to Bleeping Computer. The company asserted that no breach had occurred, and no customer data had been compromised. However, this denial was met with skepticism, as the hacker began leaking more evidence, including “proof” to media outlets and security researchers.
Independent cybersecurity groups, including Hudson Rock and CloudSEK, have confirmed the legitimacy of the stolen data. CloudSEK identified that the hacker had exploited a zero-day vulnerability in Oracle’s Fusion Middleware software, allowing unauthorized access to Oracle Cloud systems. The vulnerability, identified as CVE-2021-35587, enabled the hacker to bypass authentication processes.
Security experts from Trustwave SpiderLabs also reviewed the leaked data and confirmed its authenticity, describing it as a highly detailed and sensitive user directory. The exposed records contained personally identifiable information (PII) such as names, job titles, email addresses, phone numbers, and even home contact details, posing significant cybersecurity and operational risks to the affected organizations.
Additionally, the hacker uploaded a recording of an internal Oracle meeting, further proving the breach’s legitimacy. Despite this, Oracle continued to deny that its cloud services had been affected. The company’s statements, particularly its insistence that no breach occurred within “Oracle Cloud,” have raised suspicions. Some experts, such as cybersecurity specialist Kevin Beaumont, have suggested that Oracle’s wording was strategically crafted to downplay the incident by focusing on “Oracle Cloud” while seemingly shifting the blame to its legacy service, “Oracle Classic.”
While Oracle’s response has been criticized as misleading and evasive, further analysis by CloudSEK confirmed that the leaked data was current, contradicting Oracle’s claims that it was outdated or irrelevant. The company’s lack of transparency has left many customers in the dark about the full scope of the breach and how to protect themselves.
Alon Gal, CTO of Hudson Rock, called Oracle’s refusal to acknowledge the breach “crazy,” emphasizing the need for greater transparency in cases like these. Without guidance from Oracle, Gal directed affected customers to CloudSEK’s recommendations to mitigate potential damage from the breach.
The ongoing silence from Oracle has been described as irresponsible by some experts, with many urging the company to provide clear information and support to those affected. As the hacker continues to threaten the sale of the stolen data, the incident serves as a stark reminder of the risks associated with data breaches and the importance of corporate responsibility in handling such incidents.
