A significant data breach at Oracle has exposed sensitive information of over 144,000 clients, with the company maintaining silence after initially denying the incident. Security researchers have now definitively confirmed the breach's authenticity, raising concerns about Oracle's transparency and response.
A threat actor, identified as Rose87168, claims to have compromised Oracle Cloud's federated SSO servers, obtaining approximately 6 million records. The stolen data includes single sign-on credentials, LDAP passwords, OAuth2 keys, and tenant information. The hacker is now attempting to sell this data, demanding payment from affected clients to remove their information from the leaked database.
Multiple cybersecurity firms, including Hudson Rock, CloudSEK, and Trustwave SpiderLabs, have independently verified the legitimacy of the breach. According to CloudSEK, the attacker exploited a zero-day vulnerability (CVE-2021-35587) in Oracle Fusion Middleware's access manager software to infiltrate the systems without authentication.
The exposed data contains sensitive personal information, including:
- Full names and display names
- Email addresses
- Job titles
- Department numbers
- Phone numbers
- Home contact details
Despite Oracle's statement to Bleeping Computer claiming "no breach of Oracle Cloud," security expert Kevin Beaumont suggests the company's careful wording might be attempting to deflect responsibility. CloudSEK has confirmed through its clients that the leaked data is both accurate and current.
Hudson Rock's CTO Alon Gal expressed concern about Oracle's handling of the situation, calling their lack of transparency "crazy." In the absence of official guidance from Oracle, affected customers are advised to follow CloudSEK's mitigation recommendations to protect their data.
The incident highlights growing concerns about corporate transparency in cybersecurity incidents and the importance of prompt disclosure to affected parties. As Oracle maintains its silence, security experts continue to emphasize the serious nature of this breach and its potential implications for affected organizations.