Oracle denies data breach after hacker claims to hold six million records

(Image credit: Oracle)

A threat actor is offering a database for sale, alleging it came from Oracle
The archive contains encrypted SSO passwords and more
Oracle denied being breached or losing data

Oracle has denied suffering a cyberattack and a data breach, following claims from a hacker to have stolen millions of records from company servers.

In mid-March 2025, a threat actor with the alias rose87168 released 6 million data records, claiming they were seized from Oracle’s Cloud federated SSO login servers. The archive posted on the dark web included a sample database, LDAP information, and a list of companies.

Perhaps unsurprisingly, Oracle was having none of it, issuing a statement declaring, "There has been no breach of Oracle Cloud. The published credentials are not for the Oracle Cloud. No Oracle Cloud customers experienced a breach or lost any data."

Encrypted SSO passwords

In the meantime, rose87168 took the archive for sale, in exchange for either an undisclosed sum of money, or zero-day exploits.

The threat actor claims the data includes encrypted SSO passwords, Java keystore (JKS) files, key files, enterprise manager JPS keys, and more.

"The SSO passwords are encrypted, they can be decrypted with the available files. also LDAP hashed password can be cracked," rose87168 said.

"I'll list the domains of all the companies in this leak. Companies can pay a specific amount to remove their employees' information from the list before it's sold."

Before listing the stolen archive for sale, the threat actor apparently asked Oracle for 100,000 XMR (the Monero cryptocurrency), but the company also demanded “all information needed for fix and patch,” and since rose87168 did not provide, the negotiations broke down..

To prove the stolen files were legitimate, the threat actor gave BleepingComputer a URL for Internet Archive, which shows that they uploaded a .txt file containing their email address to login.us2.oraclecloud.com server.

The publication reached out to Oracle for an explanation - we have also contacted the company for comment.

Several ServiceNow flaws are reportedly being linked together to attack companies and organizations
We've rounded up the best password managers
Take a look at our guide to the best authenticator app

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.