- A threat actor offers a database for sale that claims it came from Oracle
- The archive contains encrypted SSO -password codes and more
- Oracle refused to be violated or losing data
Oracle has refused to suffer a cyberattack and a data violation after claims from a hacker of having stolen millions of items from corporate servers.
In mid-March 2025, a threat actor with alias Rose87168 released 6 million data registers and claimed they were seized from Oracle’s Cloud Federated SSO-Login servers. The archive published on the Dark Web included a test database, LDAP information and a list of companies.
Perhaps not surprisingly, Oracle had none of it and issued a statement declaring, “There has been no breach of Oracle Cloud. The published credentials are not for Oracle Cloud. No Oracle Cloud customers experienced a violation or lost any data.”
Encrypted SSO passwords
Meanwhile, Rose87168 took the archive for sale in return for either a non-public money or zero-day exploitation.
The threat actor claims that the data includes encrypted SSO passwords, Java Keystore (JKS) files, key files, company manager JPS KEYS and more.
“The SSO password codes are encrypted, they can be decrypted with the available files. Also LDAP -HASHED -HAPE CODE can be broken,” Rose87168 said.
“I will list the domains for all companies in this leak. Companies can pay a specific amount to remove their employees’ information from the list before they are sold.”
Before noting the stolen archive for sale, the threat actor apparently asked Oracle about 100,000 XMR (Monero Cryptocurrency), but the company also required “all information needed for solution and patch” and since Rose87168 did not make, the negotiations broke down.
To prove that the stolen files were legitimate, gave the threat actor Bleeping computer A URL for Internet Archive showing that they uploaded a .txt file that contains their E -Mail address to Login.us2.oraclecloud.com server.
The publication reached Oracle for an explanation – we have also contacted the company for comment.
