Oracle Denies Breach After Hacker Claims Theft of 6 Million Data Records
Oracle has come under fire after a threat actor claimed to be selling 6 million data records allegedly stolen from the company's Oracle Cloud federated SSO login servers. The claimant, known as rose87168, released multiple text files containing sample database information, LDAP details, and a list of companies they alleged were targeted by the breach.
Oracle has vehemently denied any breach, stating that "there has been no breach of Oracle Cloud. The published credentials are not for the Oracle Cloud. No Oracle Cloud customers experienced a breach or lost any data." This statement comes after rose87168 shared a URL with BleepingComputer, showing an Internet Archive URL indicating they uploaded a .txt file containing their ProtonMail email address to the login.us2.oraclecloud.com server.
Despite Oracle's denials, rose87168 claims to have gained access to Oracle Cloud servers around 40 days ago and exfiltrated data from the US2 and EM2 cloud regions. The threat actor alleges that they used a vulnerable version of Oracle Cloud servers with a public CVE (flaw) that does not currently have a public PoC or exploit.
In an email exchange, rose87168 claimed to have asked Oracle to pay 100,000 XMR for information on how they breached the servers. However, the company allegedly refused to pay after requesting "all information needed for fix and patch." The threat actor offered to share some of the data with anyone who can help decrypt SSO passwords or crack LDAP passwords.
"The SSO passwords are encrypted, they can be decrypted with the available files. also LDAP hashed password can be cracked," rose87168 says. "I'll list the domains of all the companies in this leak. Companies can pay a specific amount to remove their employees' information from the list before it's sold."
BleepingComputer has contacted various companies whose data was allegedly stolen to confirm whether it's valid. We will update this article if we hear back. The breach has sent shockwaves through the cybersecurity community, with many left wondering how a threat actor managed to gain access to Oracle Cloud servers.
The Breach: A Detailed Breakdown
In summary, rose87168 claims that they breached Oracle Cloud's SSO platform by exploiting a vulnerable version of the software. The threat actor alleges that they gained access to sensitive information, including encrypted SSO passwords, Java Keystore (JKS) files, key files, and enterprise manager JPS keys.
"The SSO passwords are encrypted, they can be decrypted with the available files," rose87168 claims. "also LDAP hashed password can be cracked." The threat actor has offered to share some of the data with anyone who can help decrypt SSO passwords or crack LDAP passwords.
The Consequences
Companies that were allegedly targeted by the breach are now facing an uncertain future. rose87168 is offering to sell the stolen data for an undisclosed price, with companies able to pay a specific amount to have their employees' information removed from the list before it's sold.
The breach has raised concerns about the security of Oracle Cloud servers and the potential consequences for customers. BleepingComputer will continue to monitor the situation and provide updates as more information becomes available.