Oracle Cloud Authentication Data Breach by 'rose87168'
A threat actor identified as 'rose87168' claimed to have breached Oracle Cloud's federated Single Sign-On (SSO) login servers and exfiltrated approximately 6 million records, impacting over 140,000 tenants. The stolen data reportedly includes Java Key Store (JKS) files, encrypted SSO and LDAP passwords, and Enterprise Manager JPS keys. While Oracle initially denied a breach of its main Oracle Cloud Infrastructure (OCI) platform, it acknowledged a security incident involving two obsolete servers where usernames were accessed. Cybersecurity firms and independent researchers confirmed the validity of some data samples shared by the threat actor. The attacker was active since January 2025 and sought assistance to decrypt stolen data, demanding payments to prevent further exposure. CISA issued guidance on credential risks associated with a potential legacy Oracle cloud compromise.
Signal context
First seen: Mar 21, 2025
Last updated: Jun 19, 2026
Status: Public signal
Key points
- Threat actor 'rose87168' claimed responsibility for the breach, advertising 6 million records for sale on a hacking forum.
- Data allegedly stolen includes JKS files, encrypted SSO and LDAP passwords, and JPS keys, affecting over 140,000 Oracle Cloud tenants.
- Oracle initially denied a breach of its primary OCI platform but confirmed unauthorized access to usernames from two obsolete servers.
Signal analysis
BetaThis analysis groups the signal by industry, likely incident action and impacted security area. It helps compare this signal with other published signals without treating the labels as final determinations.
Sector: Information
Likely country: 🇺🇸 United States
inferred from source domains
Watch internet-facing systems, credential abuse and exploit activity.
- Source type: outside the affected organization
Impact area: Confidentiality
Likely asset: User or customer data, Server or cloud data store
- 3 signals in the same sector
- 22 signals with the same likely impact area
- 5 signals linked to this organization/domain
External sources
https://itbutler.com/blog/oracle-data-breach/https://itbutler.com/blog/oracle-data-breach/Public source from itbutler.com.
https://www.cisa.gov/news-events/alerts/2025/04/16/cisa-releases-guidance-credential-risks-associated-potential-legacy-oracle-cloud-compromisehttps://www.cisa.gov/news-events/alerts/2025/04/16/cisa-releases-guidance-credential-risks-associated-potential-legacy-oracle-cloud-compromisePublic source from cisa.gov.
https://reco.ai/blog/oracle-breach-preparing-for-identity-attacks-on-oci-and-beyond/https://reco.ai/blog/oracle-breach-preparing-for-identity-attacks-on-oci-and-beyond/Public source from reco.ai.
Related signals
Grouped by why the signal is relevant.
Oracle Affected by FortiBleed Campaign
Oracle was identified as one of over 22,000 corporate domains affected by the FortiBleed campaign. A Russian-speaking criminal group compromised Fortinet firewall and VPN devices globally, exfiltrating credentials and potentially gaining full network access.
ShinyHunters Exploits Oracle PeopleSoft Zero-Day (CVE-2026-35273)
The ShinyHunters threat group exploited a zero-day vulnerability (CVE-2026-35273) in Oracle PeopleSoft PeopleTools, a critical remote code execution flaw with a CVSS score of 9.8. The campaign, observed between May 27 and June 9, 2026, targeted over 100 global organizations, with a significant focus on the higher education sector. The vulnerability allowed unauthenticated remote code execution without user interaction. Stolen data from compromised organizations was subsequently published on ShinyHunters' data leak site, and some victims received extortion demands. Oracle released a security advisory on June 10, 2026, after the exploitation was already underway.
Oracle Health (Cerner) Legacy Server Breach
In a separate incident from the Oracle Cloud breach, Oracle Health (formerly Cerner), a provider of electronic health record (EHR) systems, experienced a data breach. A hacker reportedly used stolen credentials to access legacy servers that had not yet been migrated to Oracle Cloud, leading to the exfiltration of healthcare records from various hospitals in the United States. The incident began on January 22, 2025, and Oracle first noticed the breach on February 20, 2025. The attacker is allegedly extorting Oracle Health customers, demanding cryptocurrency payments to withhold publishing the stolen data, which likely includes protected health information.
Cl0p Ransomware Group Exploits Oracle E-Business Suite Zero-Day
The Cl0p ransomware group launched a large-scale extortion campaign by exploiting a zero-day vulnerability (possibly CVE-2025-61882) in Oracle's E-Business Suite (EBS). This led to critical data breaches for dozens of large corporations, with over 100 companies allegedly impacted. The exploitation activity was observed as early as August 9, 2025, weeks before a patch was available, and suspicious activity dated back to July 10, 2025. The threat actors exfiltrated a significant amount of data from impacted organizations and sent high-volume emails to executives demanding payment.
Paywall Bypass Vulnerability
Tweakers.net has identified a vulnerability that allows for the bypass of its paywall. This issue is listed as a 'Known issue' within their bug bounty program, indicating that the company is aware of the flaw and is seeking ethical hackers to report findings related to it. A successful bypass could allow unauthorized access to premium content.
Horizon Family Medical Group Data Breach
Reports emerged on June 18, 2026, of a possible data breach at Horizon Family Medical Group, a medical provider in New York's Hudson Valley region. Threat actor Incransom claimed to have stolen 7 TB of data, including medical information such as diagnoses, prescriptions, treatments, and lab results.