Oracle is denying reports of a large-scale data breach after a hacker claimed responsibility for stealing 6 million records from Oracle Cloud in what researchers are calling the biggest supply chain hack of 2025. Cybersecurity firm CloudSEK first reported the alleged attack, which they say exploited a zero-day vulnerability in Oracle WebLogic and may have impacted over 140,000 Oracle Cloud tenants.
According to CloudSEK, the hacker known as “rose87168” is offering the stolen data for sale on BreachForums. The attacker claims to have accessed Oracle Cloud’s Single Sign-On (SSO) and Lightweight Directory Access Protocol (LDAP) systems, extracting sensitive files that include Java Keystore (JKS) files, encrypted SSO passwords, key files, and Enterprise Manager Java Process Status (JPS) keys.
Oracle Rejects Breach Claims as CloudSEK Stands Firm
Oracle responded swiftly, denying any breach had occurred. In a statement, Deborah Hellinger, Oracle’s Director of Corporate Communications, said, “There has been no breach of Oracle Cloud. No Oracle Cloud customers experienced a breach or lost any data. The published credentials are not from Oracle Cloud.”
However, CloudSEK has doubled down on its findings. In a follow-up report, researchers claim to have verified key pieces of evidence provided by the hacker. They confirmed that the targeted subdomain, login.us2.oraclecloud.com, was a legitimate production environment used for Oracle’s SSO setup. The sample data shared by the attacker also matched real Oracle Cloud customer domains.
CloudSEK’s investigation suggests the hacker may have exploited a known vulnerability in Oracle Fusion Middleware—specifically CVE-2021-35587—which could allow attackers to take control of Oracle Access Manager systems. According to CloudSEK, the compromised system was running Oracle Fusion Middleware 11G, which had not been updated since 2014.
Oracle Cloud Potential Victims and Rising Concerns of a Supply Chain Attack
The hacker claims the breach exposed major companies, including FedEx, PayPal, Fortinet, and Cloudflare. On social media, rose87168 invited affected organizations to verify if their data was compromised. The attacker is also demanding ransoms from organizations and offering rewards for anyone who helps decrypt the stolen passwords.
Security experts warn that leaked JKS and key files could allow attackers to move laterally across enterprise networks, posing serious risks to interconnected systems. If confirmed, this would mark a significant cloud supply chain breach with far-reaching consequences.
A Wake-Up Call for Cloud Security and Third-Party Risk
Industry leaders are drawing comparisons to the SolarWinds attack of 2020, which forced a global reckoning around third-party cybersecurity risks.
“This isn’t just an Oracle issue; it’s a wake-up call for every organization relying on cloud providers,” said Ensar Seker, Chief Information Security Officer at SOCRadar. “If verified, this could easily be the SolarWinds moment of 2025.”
CloudSEK has also warned that decrypting the SSO and LDAP passwords could lead to wider Oracle Cloud breaches. Exposure of the data could allow attackers to escalate access, potentially breaching additional enterprise systems connected through Oracle’s services.
Immediate Actions and Next Steps for Potentially Affected Organizations
CloudSEK urges any potentially impacted organizations to act swiftly. Recommended actions include:
- Resetting all LDAP passwords immediately, focusing on privileged and administrator accounts
- Enforcing multi-factor authentication (MFA) across Oracle Cloud environments
- Updating SASL hashes or migrating to stronger authentication methods
- Contacting Oracle Support for guidance and risk assessment
Experts also suggest that Oracle customers demand a full technical breakdown from the company if the breach is validated, including a detailed timeline, impact analysis, and patch instructions. Transparency, they say, will be essential to restoring trust.
Meanwhile, CloudSEK has released an online tool allowing businesses to check if their Oracle Cloud instances were affected. The company maintains that its findings are based on evidence and verification, not speculation.
“We believe in transparency and evidence-based reporting — not fear-mongering. Our goal is to help the community and Oracle investigate this incident more effectively,” CloudSEK said in its update.
This incident, whether verified or not, raises serious questions about cloud supply chain security. Attackers exploiting third-party platforms like Oracle Cloud can cause widespread damage, especially when sensitive credentials and encryption keys are compromised.
“As businesses shift more critical operations to the cloud, this event underscores the need for continuous monitoring, vulnerability management, and strict governance over third-party systems,” Seker added.
While Oracle maintains that no breach occurred, the cybersecurity community continues to watch closely as new evidence emerges. If proven true, the Oracle Cloud Data Breach 2025 could set off major changes in how enterprises assess cloud risk and manage supply chain vulnerabilities.
