The Oracle Cloud Breach of 2025: Unpacking the Year’s Biggest Supply Chain Attack
Overview
On March 21, 2025, the cybersecurity community was rocked by the disclosure of a serious supply chain breach targeting Oracle Cloud’s Single Sign-On (SSO) and Lightweight Directory Access Protocol (LDAP) systems. The threat actor, known by the alias “rose87168,” claimed responsibility for exfiltrating over 6 million sensitive records, including:
- Java KeyStore (JKS) files
- Encrypted SSO and LDAP passwords
- Key files
- Enterprise Manager JPS keys
This data was allegedly made available for sale on BreachForums, with over 140,000 Oracle Cloud tenants affected, spanning Fortune 500 firms, startups, and public sector organizations.
How It Happened: CVE-2021-35587
The attack vector is suspected to be CVE-2021-35587 — a critical vulnerability in Oracle Access Manager (CVSS 9.8) that allows unauthenticated remote code execution via a crafted HTTP request. The issue stems from improper input validation, and Oracle issued a patch in January 2022. However, evidence suggests that outdated instances of Fusion Middleware 11G remained online and unpatched within Oracle’s infrastructure.
Timeline of the Incident
- Feb 9–15: Breach of login.us2.oraclecloud.com, 6M records stolen.
- Late Feb: Hacker contacts Oracle, demands $200M+ in XMR. Negotiations fail.
- Mar 3: Wayback Machine captures text file uploaded by hacker to Oracle’s server.
- Mar 21: BreachForums post goes live. Sample data released.
- Mar 22: Oracle denies breach. Server goes offline.
- Mar 25: 10,000-line sample of data leaked. Investigation intensifies.
Evidence of Breach
The hacker uploaded a file to login.us2.oraclecloud.com containing their ProtonMail address. Screenshots and sample files (LDAP.txt, Company.List.txt, Database.txt) were shared publicly. While Oracle has denied a confirmed breach, several Oracle customers validated the leaked credentials.
Implications for Enterprises
This breach is a stark reminder of the risks of outdated infrastructure and poor patch hygiene. Attackers exploited weak points in authentication infrastructure, threatening tenant security across sectors.
What Should Organizations Do Now?
1. Rotate Credentials
-
Immediately reset SSO, LDAP, and all related authentication secrets.
2. Enforce MFA
-
Require Multi-Factor Authentication on all Oracle Cloud accounts.
3. Patch Systems
-
Ensure Fusion Middleware is patched past October 2021.
-
Replace affected certificates (SSO, SAML, OIDC).
4. Limit Exposure
-
Restrict access to login endpoints using IP whitelisting and zero-trust models.
5. Monitor and Investigate
-
Review logs, monitor the dark web, and conduct forensic checks.
6. Evaluate Supply Chain Dependencies
-
Assess third-party vendor integrations for security posture.
Conclusion
Whether Oracle confirms the breach or not, the evidence and impact suggest real risk. Organizations must treat this as a catalyst to improve their cloud security posture, patch management lifecycle, and authentication hardening.
Want to see how Apphaz protects against cloud supply chain breaches? Book a free demo today at Apphaz.com.
