Oracle Cloud Security Incident Threatens Data of Over 140,000 Companies

This major intrusion is being referred to as 2025's largest supply chain breach.

A threat actor attacked Oracle Cloud in a large supply chain hack, compromising 6 million records and endangering over 140,000 tenants (companies whose environment is on a cloud database) across various countries and sectors.

The cyber-security firm CloudSEK identified the assault on March 21 and dubbed it the "biggest supply chain hack of 2025." The attack affected data and passwords. A threat actor using under the name "rose87168" is allegedly selling 6 million records that were taken from Oracle Cloud's Lightweight Directory Access Protocol (LDAP) and Single Sign-On (SSO) systems online, according to CloudSEK.

The threat actor even created an X page to expand the scope of the assault, where it follows Oracle-related accounts to harass or follow its targets. In addition to selling this private information online, the threat actor, who has been active since January 2025, is requesting assistance in decrypting the credentials that were obtained and requesting ransom from the impacted firms in order to remove the data.

A dataset comprising Enterprise Manager JPS keys, encrypted SSO passwords, key files, and Java KeyStore (JKS) files was compromised.

According to CloudSEK's analysis, the threat actor exploited login endpoints for all regions related to oraclecloud.com by using an unreported vulnerability in Oracle Weblogic Server. The actor's sophisticated tactics convey a high degree of intelligence despite their lack of prior experience.