Oracle refutes claims of a breach by threat actor rose87168, who alleges selling 6 million Oracle Cloud SSO records. Explore the technical details, extortion tactics, and implications for cloud security

Continue reading
Tech giant Oracle has vehemently denied a data breach after a threat actor, operating under the alias rose87168, claimed to infiltrate Oracle Cloud’s federated SSO login servers. The actor allegedly sells 6 million records—including encrypted passwords, Java Keystore (JKS) files, and LDAP data—on the hacking forum BreachForums.
In a publicly announced statement, Oracle asserted, _“There has been no breach of Oracle Cloud. The published credentials are not for the Oracle Cloud. No customers experienced a breach or lost data.”_ This rebuttal follows rose87168’s release of sample data and a URL purportedly proving access to Oracle’s `login.us2.oraclecloud.com` server.
Rose87168 alleges exploiting a critical unpatched CVE (Common Vulnerabilities and Exposures) in Oracle Cloud servers. While the actor claims the flaw lacks a public PoC (Proof of Concept), Oracle has not confirmed the vulnerability’s existence. Key technical points include:
Oracle has maintained a firm stance against the breach allegations:
The threat actor’s campaign employs psychological manipulation to pressure Oracle and its clients:

A third-party software flaw inside one of Japan's largest telcos exposed login credentials for up to 14.2 million email accounts across six ISPs. The passwords? Some were hashed. Some may not have been