All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Oracle Cloud Account Leaks 6 Million Records From 140K Tenants
raindog308
Administrator, Veteran
"On 21 March 2025, CloudSEK’s XVigil discovered a threat actor, "rose87168," selling 6M records exfiltrated from SSO and LDAP of Oracle Cloud. The data includes JKS files, encrypted SSO passwords, key files, and enterprise manager JPS keys.
"The attacker, active since January 2025, is incentivizing decryption assistance and demanding payment for data removal from over 140K affected tenants. Our engagement with the threat actor suggests a possible undisclosed vulnerability on login.(region-name).oraclecloud.com, leading to unauthorized access. While the threat actor has no prior history, their methods indicate high sophistication, CloudSEK assesses this threat with medium confidence and rates it as High in severity."
Not sure if the free tier is affected. There's a link there that allows you to check your domain.
Comments
OOF
how much do 6m records go for?
Just 6m records? Pfft
n00bz numbers
At least $7
Sximity million
Calin would love to get his hands on the data
Apparently it is. Tried my personal domain that I used to sign up for the free tier, and it shows I'm pwned. Damn.
Seemingly not impacted when checking my email domain, is there some other domain I should be checking?
Oopsie. "Enterprise" they said, "Sakkurity! With Oracle you are safe" they said (and then let front-end developers implement their login page ...
For a long time, Oracle has marketed their Linux as "Unbreakable Linux".
Maybe that's great marketing copy but I've always found it a bit cringeworthy.
And now your smirking has been proven right, hehe ...
I think those with 2FA are safe
I love posting the monthly megacorop-cloud hacks in my work engineering channels. Then every zoom call having my rack with proxmox cluster running in the background. People are surprised at first "what do you /mean/ you don't trust the cloud?". And then pay a bazillion bucks to AWS because "compliance" and "security".
I hope so
Suddenly them not accepting me into the free tier becomes a win lol
Hope so my domain says it's not affected I'm using 2FA.
Did you upgrade to Pay as you go aka gave them CC details?
My domain not there, never went out free tier.
However also it's worth to notice I don't remember when I last time signed into Oracle Cloud and this could be "leaking" active sessions or something :-D
// Oh, the blog says it was us
login.us2.oraclecloud.comso if they have EU database in different region I could be not leaked :-DHow do you know if yours was impacted? I didn’t get any notification or did I have to see it somewhere
https://exposure.cloudsek.com/oracle
I did upgrade my account... Fortunately I was using a virtual card lol
That's referring to the kernel. I highly doubt this was a kernel exploit.
No, they've referred to "Oracle Unbreakable Linux" in marketing fluff without limiting it to the kernel, though in other places it's the "Oracle Unbreakable Linux Kernel".
Why, they even market the Unbreakable Linux Network.
You're right, though, this wasn't a Linux vuln.
@emgh important please read.
your mom's Oracle free tier account might be exposed.
Welp, I think this is a catch for free tier 😭
Linux is the kernel. Linux is not the OS.
Post from your real account, Stallman.
I think even my mom could have told you that.
7$ sounds reasonable as they never let me complete the signup process due to there strange card verification process
I had 1 account with them but never had a chance to touch their "free machine". It always unavailable when I try to create one.
You should try again. Was able to add a couple wwwks ago no issues
In which region you got your account ? I tried to signup in phoenix region but was not able to complete signup process due to card verification issues