How to Navigate the Oracle Cloud Incident: Key Steps to Take

Earlier this month, Oracle suffered what is being called the biggest supply chain hack of 2025 so far. According to several sources, a breach occurred when 6 million records were exfiltrated from Oracle Cloud, affecting more than 140,000 tenants. While Oracle originally denied the incident, intelligence sources have provided supporting evidence that a breach did in fact expose sensitive data via Oracle Cloud’s production single sign-on endpoints.

Oracle Cloud Breach: What Happened?

On March 21, a cybersecurity company a threat actor claiming to be selling 6 million data records stolen from Oracle's cloud federated SSO login servers. The hacker claimed the data (including encrypted SSO passwords, Java Keystore (JKS) files, key files, and enterprise manager JPS keys) involves 140,000 Oracle Cloud tenants.

The attacker, active since January 2025, is seeking assistance to decrypt the stolen data and/or crack the stolen LDAP passwords, while also demanding payment to delete the stolen data.

Download:  Determine the Cost and Impact of a Security Breach

How Did the Alleged Oracle Breach Occur?

A possible undisclosed vulnerability on login.(region-name).oraclecloud.com allowed the hacker to gain unauthorized access. While the threat actor has no prior history, their methods indicate high sophistication. The hacker claimed to have gained access to Oracle Cloud servers around 40 days ago and emailed the company after exfiltrating data from the US2 and EM2 cloud regions.

Who is Impacted by the Oracle Breach?

The threat actor claims to have a list of the 140,000 Oracle Cloud tenants’ whose data was compromised, but at this time, that list has not been made public. Note: Even for companies that don't use Oracle Cloud, it's likely some of your vendors do.

What has Oracle said?

Oracle originally denied being breached: "There has been no breach of Oracle Cloud. The published credentials are not for the Oracle Cloud. No Oracle Cloud customers experienced a breach or lost any data,” the company told BleepingComputer. Yet despite Oracle’s denials, BleepingComputer reported it had “confirmed with multiple companies that associated data samples shared by the threat actor are valid.”

Listen: Incident Briefing: Hacker Claims Theft of 6M Records From Oracle Cloud

Oracle Breach: Key Steps to Take for Your Organization

IANS recommends organizations take the following steps:

• If you’re not in Oracle Cloud Infrastructure (OCI), evaluate your readiness to handle this type of incident in your cloud environment
• Increase monitoring around credential use in OCI. The identity and access management (IAM) logs are the first place we start with cloud incident response, so you should already have good detection engineering here. Use this to determine if you’re seeing any anomalies
• Consider rotating credentials in OCI. Use this incident as a catalyst to build a formal process. If you haven’t already rotated credentials 96+ hours into the report, then based on the lack of any suspicious activity identified, I wouldn’t recommend doing so if you don’t have a process in place. But if you’re not rotating credentials due to lack of a plan, that itself is an issue. Create the plan today.
• Talk to your vendors that use OCI and ask what actions they’ve taken or are planning on taking. As time has passed without evidence of intrusion, third-party risks are less concerning, but still worth considering.
• Talk to your cyber threat intelligence (CTI) teams and see when (and how) they noticed this incident. Did formal/informal information-sharing arrangements help you assess this incident? If not, what do you need to put in place now to ensure they can leverage relationships in the future. This is a great opportunity to measure your CTI team against a real-world issue that is concerning enough they should have noticed, but not at an “Internet dumpster fire” level where they couldn’t have missed it.
  

How to Communicate the Oracle Breach to Leadership

IANS recommends the following communications:

• We're monitoring the situation and acting on rotating credentials in OCI.
• We're communicating with third parties using OCI and asking whether they're taking actions commensurate with ours.
• We're evaluating our CTI posture based on lessons learned from our assessment of this incident.
  

The alleged breach of Oracle Cloud highlights the critical importance of robust cybersecurity measures and practice incident response. Despite Oracle’s denial, the evidence provided by intelligence sources and the sophisticated methods of the threat actor suggest a significant security incident. Organizations, whether directly using Oracle Cloud or relying on vendors that do, must take immediate steps to enhance monitoring, considering credential rotation, and engage with their vendors and CTI teams. This incident servers as a stark reminder of the ever-evolving threat landscape and the need for continuous vigilance and preparedness in the realm of cybersecurity.

Learn everything you need to know about the recent Oracle Cloud incident from IANS Faculty Jacob Williams.

Download IANS Executive Communications Incident Briefing: Hacker Claims Theft of 6M Records from Oracle Cloud: Incident Briefing: Hacker Claims Theft of 6M Records from Oracle Cloud

Get a complete breakdown of the critical steps you need to take and how to communicate the Oracle Cloud incident to your executive teams.

Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in connection with such information, opinions, or advice.