A hacker claims to have stolen 6m data records, but despite the evidence, the alleged victim organization has denied the breach

A controversy has recently emerged over a potential major data breach at cloud service provider, with security researchers and the former CSP offering contradictory narratives about what occurred.

Apparently, on 21 March 2025, a hacker using the name “rose87168” had publicly claimed to have stolen 6m records from Oracle Cloud, allegedly exposing sensitive data from approximately 140,000 tenants.

The hacker had claimed that the firm’s servers in both Amsterdam and Chicago had been compromised, resulting in the breach of Java Key Store files, encrypted passwords, and Enterprise Manager JPS keys.

When questioned by media outlets, Oracle had categorically denied the allegations, stating: “The published credentials are not for the Oracle Cloud. No Oracle Cloud customers experienced a breach or lost any data”. This firm denial comes despite reports that Oracle has requested password resets from some customers.

Possible evidence and implications

A cybersecurity firm that appears to have been the first to verify the hacker’s claim, CloudSEK, has verified that their threat intelligence team had uncovered “conclusive evidence validating the threat actor’s claims — including production-level exposure of Oracle Cloud SSO endpoints and real customer data in the leaked samples.”

Investigation have determined that:

  • the domain login.us2.oraclecloud.com was actually compromised
  • the potential customer impact was “profound”
  • the breach in question had reportedly exploited CVE-2021-35587, a critical vulnerability in Oracle Access Manager within Oracle Fusion Middleware, which may have gone unpatched on the US2 server in Chicago. The method used to access the EM2 server in Amsterdam remains unclear.
  • the hacker had allegedly approached the cloud service provider a month prior, demanding over US$200m in cryptocurrency for the stolen data. Oracle had allegedly refused to pay, given that it is illegal in the United States to pay cyber ransoms.
  • the hacker “rose87168” has shared additional evidence with a media firm, suggesting the infiltration had occurred approximately 40 days before public disclosure.

Regardless of whether the breach had occurred as claimed by the threat actor, numerous security experts have recommended organizations using the cloud service provider to reset the necessary login credentials, verify their systems for compromise indicators, and implement credential rotations as a precautionary measure.