Recent searches
Search options
Somebody is claiming to have exfiltrated 6 million lines of data with Oracle Cloud’s SSO and LDAP that includes JKS files, encrypted SSO passwords, key files and enterprise manager JPS keys from servers on login.*.oraclecloud.com
The poster has no prior reputation, it is unclear if they're LARPing. Some of the sample data does align with prior infostealer logs, I'm told. https://breachforums.st/Thread-SELLING-Oracle-cloud-traditional-hacked-login-X-oraclecloud-com
If anybody is interested, the servers they claim they targeted all run Oracle WebLogic and are managed by Oracle as a SaaS service.
Has anybody else got Oracle to comment on this? No reply to my queries.
Oracle are denying a breach to @BleepingComputer, but the threat actor has provided an archived URL which suggests they somehow uploaded a file to the Oracle Access Manager (SaaS solution) frontend.
https://web.archive.org/web/20250301161517/http:/login.us2.oraclecloud.com/oamfed/x.txt?x
The Oracle thing keeps getting more strange. The threat actor has supplied an hour long YouTube video, which appears to be taken from an endpoint inside Oracle... in 2019. They've also supplied a dump of data from 2025, to Hudson Rock. https://www.youtube.com/watch?v=375_G9wAffo
If anybody from Oracle follows me, I definitely think the OCI team needs to spin up security incident response on that YouTube video to try to find out what was happening. It looks like it may be a Citrix session recording of a staff member's access in OCI.
Hudson Rock are reporting the Oracle Cloud breach claim threat actor has provided 10k records, and they appear genuine according to one of their customers.
It’s unclear to me exactly what is happening with this one as the threat actor doesn’t appear to understand basic English grammar.. but there are signs something has happened at Oracle.
Big problem for Oracle as I’m not sure how plausible denials will be when threat actor, who sounds 12, is dumping data online.
CloudSEK are doubling down on their Oracle Cloud breach reporting, despite a denial from Oracle: https://cloudsek.com/blog/part-2-validating-the-breach-oracle-cloud-denied-cloudseks-follow-up-analysis
I am still looking into this and will probably do a blog post this week. The threat actor is still dropping files everywhere and they do tend to point to a security incident at Oracle Cloud.
Bleeping Computer say multiple Oracle customers confirm their customer data has been stolen. Oracle continue to deny there is a problem.
Also, that YouTube video I linked above has two hours of audio of Oracle employees talking. I haven’t transcribed it yet.
Separately, the threat actor has shared what they claim to be current config files from Oracle Cloud servers with a different reporter.
I’m deliberately staying out of this one for now as I’m trying to finish Assassin’s Creed Shadows first.. but I think Oracle may have a pending PR disaster when the TikTok deal is due to complete.
@GossiTheDog What are the odds on CVE-2024-8068 and CVE-2024-8069?
@GossiTheDog Never enough popcorn for #Oracle, my least favorite tech company of all time, including those dudes who claimed to own Linux I can't remember the name of.
@GossiTheDog oracle doing oracle things again :D
@DJGummikuh @GossiTheDog Oracle is the IT Vendor equivalent of Lucy moving thw football on Charlie Brown. I don't know how they still exist.
@GossiTheDog why would they tell the truth? Isn’t Larry buddies with Trump? I think we’re about to see just how much oligarchy we have already.
@GossiTheDog I deeply respect that you got your priorities straight 
@GossiTheDog I started the transcript. Here's what it's produced so far. I don't have a GPU in the system I'm running this on so not sure how long it's going to take to finish. I'll upload all file formats when it completes.
https://github.com/j-klawson/oracle_breach_2025/blob/main/output_start.txt
@GossiTheDog p.s. doesn't appear to have any sensitive customer information in this sample:
ChatGPT:
After reviewing it, there do not appear to be any sensitive details such as:
Email addresses
Usernames
Passwords
API keys
Personally identifiable information (PII)
The transcript is primarily a technical discussion about system upgrades, pre-checks, configuration files, CLI usage, and server operations. It references general hostnames and commands but does not disclose any security credentials or private user data.
@GossiTheDog is available a public list with the domains involved ?
@GossiTheDog @hacks4pancakes as they finalize their talks to control US TikTok
@GossiTheDog OAM11g I haven’t seen used in well over a decade. Surprising they would be using that in a production server let alone unpatched. This CVE was patched by them in January 2022
@GossiTheDog looks like recorded support calls that could have been in breached storage to me.
@GossiTheDog Go to the Cloud @Viss said, it will be fine @Viss said.
@GossiTheDog @BleepingComputer
One thing you point out here has me thinking...
Does Oracle Cloud = Oracle Access Manager?
Looking at Oracle's own page on that, one could see it as a middleware component
https://www.oracle.com/middleware/technologies/access-management.html
Feels like Oracle is being very specific in their denial, but should we be asking a more specific question?
@definity @GossiTheDog @BleepingComputer ive been wondering that too. Or even the word breach. They arent even saying theres an incident to talk about.
Definitions are useful and important, but a vendor does the public great disservice by hanging them by the neck with word play
@0ddj0bb @definity @BleepingComputer yeah, I’ve had similar thoughts on both counts.