The Great Oracle Cloud Heist: 6 Million Records Compromised in Historic Breach

BENGALURU: In a cybersecurity saga that’s raising eyebrows across the tech world, Bengaluru-based firm CloudSEK has dropped a bombshell: a hacker may have breached Oracle Cloud, exposing 6 million records tied to over 140,000 organizations. While Oracle staunchly denies any compromise, CloudSEK’s meticulous follow-up investigation paints a troubling picture—one that could spell serious trouble for businesses relying on the cloud giant’s services.

This isn’t just another tech headline; it’s a wake-up call for companies everywhere, highlighting the fragile line between digital security and disaster. Here’s what we know so far.

The Breach That Started It All

On March 21, 2025, CloudSEK’s threat-spotting tool, XVigil, flagged a disturbing post on a dark web forum. A hacker known only as “rose87168” claimed they’d cracked into Oracle Cloud’s Single Sign-On (SSO) and Lightweight Directory Access Protocol (LDAP) systems, walking away with a staggering 6 million records. These weren’t scraps of test data—they included sensitive authentication credentials and tenant information, impacting businesses across multiple regions and industries.

Threat actor listing 6M records exfiltrated from Oracle Cloud

The alleged entry point? A login server called login.(region-name).oraclecloud.com. CloudSEK didn’t waste time: they verified the hacker’s claims, issued a public alert (TLP Green), and sent a detailed report (TLP RED) to Oracle that same day. They even launched a free tool to help companies check if they were among the affected. But Oracle’s response was swift and firm. Speaking to Bleeping Computer, the company declared, “There has been no breach of Oracle Cloud.”

For CloudSEK, that denial was just the beginning.

Now Open: Pan-India Registration for Scam Reporters & Fraud Investigators!

Evidence vs. Denial: A Clash of Narratives

A Server’s Secrets Revealed

CloudSEK’s follow-up report, released on March 24, 2025, digs into the specifics—and it’s compelling stuff. The hacker pointed to login.us2.oraclecloud.com as their way in, backing it up with a sample of customer data and a text file they’d planted on the server. CloudSEK’s analysis found this server was live about a month earlier, lining up with the hacker’s claim that Oracle shut it down weeks before the breach went public.

“We’re not in the business of speculation,” said Rahul Sasi, CloudSEK’s CEO and co-founder, in a statement that carries the weight of a decade in cybersecurity. “Our focus is on transparency and hard evidence. This report gives Oracle and the community the facts they need to tackle this head-on.”

Using their Nexus platform and insights from cyber HUMINT—human intelligence gathered from the web’s underbelly—CloudSEK built a case that challenges Oracle’s stance. But why the denial? It’s possible Oracle hasn’t seen the breach in their logs yet, or they’re defining “breach” more narrowly than the evidence suggests. Either way, CloudSEK’s findings demand attention.

Hard Proof from the Source

The evidence gets technical, but it’s airtight. CloudSEK unearthed a script (mpapihelper.py) in an archived GitHub repository from Oracle’s official “oracle-quickstart” account. This script used login.us2.oraclecloud.com to generate OAuth2 tokens for the Oracle Cloud Marketplace—a clear sign it was a production system, not some forgotten test server.

Then there’s the third-party confirmation. OneLogin, a leader in identity management, and Rainfocus, an Oracle Cloud partner, have guides showing this server handling live SSO tasks and metadata retrieval. It fits Oracle’s own deployment pattern: [identity-domain].login.us2.oraclecloud.com. This wasn’t a fluke—it was a cornerstone of their infrastructure.

Real Businesses Caught in the Crosshairs

The most human part of this story? The victims. CloudSEK matched the hacker’s leaked tenant list to real companies—names like sbgtv.com, nexinfo.com, cloudbasesolutions.com, nucor-jfe.com, and rapid4cloud.com. These aren’t dummy accounts; they’re active Oracle Cloud users, their details pulled from public GitHub repositories and partner documents.

For these organizations, it’s not abstract—it’s personal. Their login credentials could be floating around the dark web, up for grabs to anyone with a bitcoin wallet and bad intentions.

The Fallout: Risks That Hit Hard

This breach isn’t a minor hiccup; it’s a potential catastrophe. Here’s why it matters:

• Data Flood: With 6 million records exposed, including authentication details, hackers could waltz into corporate systems, opening the door to espionage or outright theft.
• Password Peril: Encrypted SSO and LDAP passwords are in the mix. If decrypted, they could unlock a wave of secondary breaches.
• Extortion Pressure: The hacker isn’t just selling—they’re demanding ransoms from affected firms to pull the data offline, adding financial strain to the chaos.
• Hidden Flaws: CloudSEK suspects a zero-day vulnerability—an unpatched gap—might be at play, raising fears of bigger weaknesses in Oracle’s defenses.
• Domino Effect: Exposed Java KeyStore (JKS) files could let attackers leap from one system to another, threatening entire supply chains.

For businesses, this is a gut punch—a reminder that even the biggest names in tech aren’t immune to trouble.

What Companies Can Do: CloudSEK’s Plan

CloudSEK isn’t leaving companies in the lurch. Their advice is practical and urgent:

• Lock It Down: Reset all SSO and LDAP credentials and enforce multi-factor authentication (MFA) to block unauthorized access.
• Search the Logs: Investigate any activity linked to login.us2.oraclecloud.com to spot signs of intrusion.
• Stay Vigilant: Monitor dark web forums for mentions of your data—knowledge is power here.
• Team Up with Oracle: Push for collaboration to confirm vulnerabilities and get fixes rolling.

They’ve also got that free tool online (Click Here To Check Exposure), letting companies see if their domain’s on the hacker’s list. It’s a lifeline for IT teams scrambling to respond.

CloudSEK’s Mission: Clarity Over Chaos

CloudSEK, a Bengaluru-based security firm with a knack for spotting threats, isn’t new to this. They’ve been at it for years, building tools like XVigil and Nexus to stay ahead of the curve. They were the first to catch this breach, verifying it while the hacker’s post was still hot. Now, with their March 24 report, they’re doubling down—not to gloat, but to help.

“We’re all about responsible disclosure,” Sasi emphasized. “This isn’t about creating panic; it’s about giving people the tools to act.” More details are coming, they say, to support Oracle and the broader cybersecurity community in plugging the holes.

The Bigger Question: What’s Oracle Hiding?

Oracle’s silence beyond their initial denial leaves room for speculation. Did they miss the breach entirely? Was the server’s shutdown a quiet fix—or too little, too late? For now, they’re not talking, but CloudSEK’s evidence is doing plenty of that for them.

This isn’t just Oracle’s story—it’s a cautionary tale for the cloud industry. As companies lean on platforms like these, a single crack can send shockwaves through millions of users. For IT leaders and executives, it’s a stark reality check: your security is only as strong as its weakest link.

CloudSEK’s not packing up yet. They’re tracking the hacker’s next moves and promising more intel soon. For affected companies, time’s ticking—every hour counts when your data’s on the line.