Oracle is pushing back against claims of a cyberattack after a hacker boasted about stealing millions of records from the company’s servers. The data, allegedly swiped from Oracle’s Cloud federated SSO login servers, surfaced on the dark web in mid-March 2025.
The threat actor, going by the alias rose87168, posted an archive containing 6 million data records, including a sample database, LDAP information, and a list of companies.
Oracle, however, flatly denied the breach, stating, “There has been no breach of Oracle Cloud. The published credentials are not for the Oracle Cloud. No Oracle Cloud customers experienced a breach or lost any data.”
Encrypted SSO passwords
Rose87168 is now trying to sell the archive, demanding either an undisclosed sum or zero-day exploits in return.
The alleged haul includes encrypted SSO passwords, Java keystore (JKS) files, key files, enterprise manager JPS keys, and more. The hacker claims, “The SSO passwords are encrypted, they can be decrypted with the available files. also LDAP hashed password can be cracked.”
Orange Group data breach: Every step explained
Rose87168 added, “Companies can pay a specific amount to remove their employees’ information from the list before it’s sold.” and mentioned that all companies involved will be listed.
Prior to peddling the stolen archive, rose87168 apparently tried to squeeze 100,000 XMR (Monero) out of Oracle. Still, negotiations fell apart since the company demanded details to “fix and patch,” and since the threat actor allegedly did not share them.
The threat actor reportedly showed BleepingComputer a URL for Internet Archive as proof. This showed that they had sent a.txt file holding their email address to the login.us2.oraclecloud.com server.
