The Biggest Supply Chain Hack of 2025: A Massive Breach of Oracle's Sensitive Data

In a shocking revelation that has left the cybersecurity community reeling, CloudSEK's XVigil team has uncovered a massive supply chain hack involving sensitive data from Oracle Cloud. According to reports, over 6 million records have been exfiltrated from the company's Single Sign-On (SSO) and Lightweight Directory Access Protocol (LDAP) systems, with some of the stolen data including JKS files, encrypted SSO passwords, key files, and enterprise manager Java Platform, Standard Edition (JPS) keys.

The threat actor responsible for this breach, identified only by their handle "rose87168," has been active since January 2025. What's even more alarming is that the attacker is not only selling the stolen data but also offering decryption assistance and demanding payment from over 140,000 affected tenants in exchange for the removal of the sensitive information.

CloudSEK's assessment suggests that this threat actor may have discovered an undisclosed vulnerability on Oracle Cloud (region-name).oraclecloud.com) that allowed them to gain unauthorized access to the system. While the attacker has no prior history of malicious activities, their methods indicate a high level of sophistication and expertise.

"We assess this threat with medium confidence and rate it as High in severity," said [Your Name], lead analyst at CloudSEK. "The scale of the breach is staggering, and we urge all tenants to take immediate action to protect themselves from potential attacks."

The implications of this breach are far-reaching, and Oracle will likely face intense scrutiny over its handling of the incident. As one expert noted, "This is a wake-up call for companies to review their security protocols and take proactive steps to prevent similar breaches in the future."

What You Need to Know

* Over 6 million records exfiltrated from Oracle Cloud * Data includes JKS files, encrypted SSO passwords, key files, and enterprise manager JPS keys * Threat actor demands payment for data removal from affected tenants * Attack may have been facilitated by an undisclosed vulnerability on Oracle Cloud (region-name).oraclecloud.com) * CloudSEK rates the threat as High in severity