Trustwave SpiderLabs Threat Review: Alleged Oracle Compromise
On March 20, a relatively unknown user on Breach Forums posted the allegation that Oracle had suffered a data breach. According to the claims, 6 million customer records were stolen from Oracle's SSO and LDAP systems.
This blog was updated on March 27.
The threat actor behind the post is offering to sell the allegedly stolen data, providing multiple purchasing options based on company name, hashed credentials, and other sensitive information.
Oracle has denied these claims: "There has been no breach of Oracle Cloud. The published credentials are not for the Oracle Cloud. No Oracle Cloud customers experienced a breach or lost any data."
Figure 1. Actor’s initial post about breach into Oracle.
Figure 2. Actor posts more data about the data that claimed to be obtained from Oracle breach.
Any breach like the alleged one could have serious implications for affected organizations, potentially exposing them to credential-stuffing attacks, unauthorized access, spear-phishing, and further exploitation.
The actor provided three alleged sample files:
- A database sample with PII
- A sample of LDAP records with PII
- A list of allegedly affected companies
Database Sample Analysis
The dataset described by the provided headers represents a highly detailed and sensitive user directory, likely extracted from a corporate Identity and Access Management system or HR-integrated directory such as Microsoft Active Directory, Oracle Identity Manager, or a similar platform. Such data in a leaked format poses severe cybersecurity and operational risks to the affected organization.
Figure 3. Database raw names from leaked database that claimed to be obtained from Oracle.
The dataset includes PII, such as first and last names, full display names, email addresses, job titles, department numbers, telephone numbers, mobile numbers, and even home contact details. This level of exposure can immediately lead to identity theft, spear phishing attacks, and social engineering campaigns, where attackers impersonate employees or executives to gain access to additional internal systems or defraud partners.
A leak of this type could potentially be used to launch credential stuffing attacks, insider impersonation, or initial access brokerage, where credentials to internal systems are sold to more sophisticated ransomware operators. Once access is gained, attackers could exfiltrate sensitive legal or financial data, deploy ransomware to disrupt operations, or leverage insider tools to avoid detection while expanding their foothold.
The first thing we noted in the allegedly stolen data was the inclusion of login credentials and authentication-related metadata. Fields like USR_PASSWORD, USR_PWD_EXPIRE_DATE, USR_PWD_MUST_CHANGE, and USR_PWD_NEVER_EXPIRES suggest that this database may contain hashed passwords and insights into password lifecycle policies. If 2FA or other multi-factor mechanisms are not enforced organization-wide, attackers could use these credentials to access internal systems, VPNs, or cloud services, potentially leading to full domain compromise.
Furthermore, fields such as USR_MANAGER, USR_MANAGER_KEY, and USR_EMP_TYPE provide organizational hierarchy, helping attackers identify privileged accounts or high-value targets for lateral movement and privilege escalation. The inclusion of flags such as USR_HAS_HIGH_RISK_ROLE, USR_HAS_HIGH_RISK_RESOURCE, and USR_SUMMARY_RISK is particularly damaging, as it directly highlights accounts with elevated permissions or access to sensitive systems, allowing adversaries to prioritize targets effectively.
Additional metadata, like USR_LOCKED, USR_DISABLED, USR_PWD_RESET_ATTEMPTS_CTR, and timestamps such as USR_PROVISIONING_DATE or USR_HIRE_DATE - enables attackers to gauge which accounts are currently active or dormant, thus reducing the risk of early detection when exploiting access. The exposure of USR_LDAP_DN, USR_LDAP_GUID, and other LDAP attributes further aids in replicating the directory structure in test environments, which can be used by ransomware groups or red-team-style attackers to simulate and refine attacks.
The following email domains are mentioned in the shared file as login data:
Table 1. Detailed number of email domains shared in sample file shared by the actor.
Such a dataset represents a valuable asset for cybercriminals, giving them all the contextual, credential, and structural insight needed to orchestrate targeted attacks. For the organizations affected, a leak like this one could result in data breach liabilities, regulatory penalties, reputational damage, operational disruption, and long-term erosion of client trust. An immediate investigation, forced password resets, identity monitoring, and security audits are essential to mitigate potential fallout.
LDAP Sample Analysis
[align=left]# XXXX XXXXXX, users, XXXXXXXXXXXXXX, cloud.oracle.com[/align] dn: cn=XXXXXXXXX,cn=users,orclMTTenantGuid=XXXXXXXXXXXXXX,dc=cloud,dc=or acle,dc=com orclmtuid: XXXXXXXXXXXXXXXXXXXXXXXX tenantadmin: cn=TenantAdminGroup,cn=Groups,orclMTTenantGuid=XXXXXXXXXXXXXX, dc=cloud,dc=oracle,dc=com userwriteprivilegeuc: cn=orclUserWritePrivilegeGroup,cn=SystemIDGroups,cn=Grou ps,orclMTTenantGuid=XXXXXXXXXXXXXX,dc=cloud,dc=oracle,dc=com userreadprivilegeuc: cn=orclUserReadPrivilegeGroup,cn=SystemIDGroups,cn=Groups ,orclMTTenantGuid=XXXXXXXXXXXXXX,dc=cloud,dc=oracle,dc=com userwriteprefsprivilegeuc: cn=orclUserWritePrefsPrivilegeGroup,cn=SystemIDGrou ps,cn=Groups,orclMTTenantGuid=XXXXXXXXXXXXXX,dc=cloud,dc=oracle,dc=com orclmttenantuname: xxxxxxx orclmttenantguid: XXXXXXXXXXXXXX orclmttenantstate: ENABLED authpassword;oid: {SASL/MD5}XXXXXXXXXXXXXX authpassword;oid: {SASL/MD5-DN}XXXXXXXXXXXXXX authpassword;oid: {SASL/MD5-U}XXXXXXXXXXXXXX userpassword:: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx = objectclass: orclIDXPerson objectclass: oblixPersonPwdPolicy objectclass: oblixOrgPerson objectclass: OIMPersonPwdPolicy objectclass: inetorgperson objectclass: top objectclass: organizationalPerson objectclass: person oblogintrycount: 0 displayname: XXXXXXXXXXXXXX cn:XXXXXXXXXXXXXX employeetype: OTHER uid: XXXXXXXXXXXXXX obpasswordchangeflag: true mail: XXXXXXXXXXXXXX sn: XXXXXXXXXXXXXX obpasswordexpirydate: 2018-05-24T00:00:00Z [align=left]givenname: XXXXXXX[/align]
Figure 4.
This allegedly leaked LDAP entry reveals a substantial amount of sensitive IAM data associated with a user within an Oracle Cloud multi-tenant environment. The data includes personally identifiable information (PII) and administrative role assignments, indicating potential high-value access within the enterprise system.
Distinguished Name (DN) and Email/UID
The user's LDAP distinguished name contains tenant-specific identifiers, confirming the environment is part of a larger Oracle Cloud infrastructure. The associated email links the entry directly to a real-world identity and organization.
Privileges and Roles
The user has membership in multiple privilege groups such as:
- orclUserWritePrivilegeGroup
- orclUserReadPrivilegeGroup
- orclUserWritePrefsPrivilegeGroup
- TenantAdminGroup
This implies the user may hold administrative rights over configurations and user preferences - possibly even full tenant-level control.
Tenant and State
The entry allegedly lists the tenant name and GUID (efkd-test, XXXXXXXXXXXXXXX) and confirms the tenant is active (ENABLED). This indicates the user account is within a functioning system and may still be valid.
Authentication Data
The presence of multiple hashed passwords using SASL/MD5 mechanisms raises significant concerns. Although hashed, these entries can still be susceptible to offline brute-force or dictionary attacks - especially if salts are not used or the hashing scheme is outdated.
Object Classes
The use of object classes like orclIDXPerson, inetOrgPerson, and OIMPersonPwdPolicy confirms this entry is tied into Oracle Identity Manager (OIM), a powerful identity provisioning system. This increases the potential blast radius of misuse - this account could be involved in managing or provisioning other users and systems.
Password Status and Expiry: The entry shows a true password change flag and a defined expiry date (2018-05-24T00:00:00Z), which may indicate a dormant or legacy account. However, legacy accounts are a known attack vector, especially when not properly deprovisioned.
Review of the Companies Allegedly Impacted
The shared list has 128,466 unique company domain names that are claimed to be affected. If true, the scale of this breach is massive.
For companies involved in such a breach, the consequences can be severe and multifaceted. Attackers can sell or exploit access to these networks for ransomware deployment, data theft, or espionage.
While Trustwave is one of the companies mentioned in the list, Trustwave’s IT and engineering teams have confirmed that Trustwave does not use the impacted Oracle Cloud application. Additionally, Trustwave is proactively ensuring our clients are informed of the reported situation and of steps they should take to remain secure.
The potential alleged exposure of over 128,466 corporate environments represents more than just a large-scale credential leak. Given the associated metadata in each record, this data leak could have long-lasting impacts for any affected entities.
Additional Data Samples
Security researcher Alon Gal contacted rose87168 and received an additional 10,000 record sample. While he has not shared the sample openly, his research suggests even further that the data is valid.
Gal also mentions that the actor confirmed that he indeed had used the critical vulnerability CVE-2021-35587 affecting Oracle Access Manager (OpenSSO Agent), as reported by CloudSEK.
Figure 5. Post from Alon Gal describing his analysis of the additional data sample.
Dark Web Investigation of the Collected Data
The investigation revealed that the Oracle subdomain login.us2.oraclecloud.com has appeared in various credential leaks dating back to at least 2019. Given this history, the actor's attempts to compromise Oracle systems are not an entirely unexpected development.
.jpg?width=492&height=368&name=Figure%206%20The%20login%20page%20of%20the%20subdomain%20of%20login.us2.oraclecloud.com%20(and%20likely%20other%20subdomains).jpg)
Figure 6. The login page of the subdomain of login.us2.oraclecloud.com (and likely other subdomains).
Dark Web Advertisement Samples
November 22, 2019
NO RESOURCE NAME | egtq.login.us2.oraclecloud.com/o... | Available After Purchase | Available After Purchase | Saved Logins | LoginData | chrome | no | 2019-11-22 01:12:37 | 2019-11-22 08:54:23
April 15, 2021
NO RESOURCE NAME | https://login.us2.oraclecloud.com/ | Login : Available After Purchase. Password : Available After Purchase. | Saved Logins | LoginData | chrome | no | 2021-04-15 13:54:44 | 2021-04-15 19:37:00
July 07, 2023
URL: https://ecwr.login.us2.oraclecloud.com/oam/server/auth_cred_submit
Username: 380577
Password: SXXXXXXXX0
January 08, 2025
user_id: None
title: ExodusMarket_aRNIlkRMU4Xk3ARnO9nO3FS5fDZ2Ar
ip_address: 201.13...
os: Windows 10 Home Single Language (10.0.19045) x64
log_date: 2025-01-08 11:52:01
country: MX
created_at: 2025-01-08 11:46:01
price: 5
ehbm.login.us2.oraclecloud.com
March 15, 2025
title: _US_73.163.44.247
ip_address: 73.163...
os: Windows 11 Home (10.0.22621) x64
log_date: 2025-03-23 22:20:02
country: US
created_at: 2025-03-15 23:10:01
price: 16
elhr.login.us2.oraclecloud.com=
Threat Actor Review
The actor claiming responsibility and offering the data for sale goes by the handle of rose87168. The actor emerged on March 8, 2025, when they posted about a potential DHL compromise. However, outside of this, not much is known about this actor.
This fact has been used to discredit the post. However, the actor provided a link on Twitter to a Wayback Machine snapshot from March 1st.
Figure 7. Actor’s post on X providing proof that claimed breach took place.
That shows their email address, strongly suggesting that they had access as early as that date.
Figure 8. Web Archive from March 1, 2025 from https://web.archive.org/web/20250301161225/https://login.us2.oraclecloud.com/oamfed/x.txt?mail
Potential Results of Exploitation
If this data leak is valid, an attacker with access to it could use it in a variety of ways.
Privilege Escalation & Tenant Compromise
An attacker who can crack the associated hashes could gain write-level and administrative control over the tenant.
Credential Reuse Risk
If the same or similar passwords are reused across other systems (e.g., email, VPN, or internal tools), the attacker could pivot laterally within the organization.
Supply Chain Exposure
If a listed company is a vendor or partner within a broader ecosystem, this compromise could lead to third-party risk propagation.
Regulatory & Compliance Impact
Exposure of PII (name, email) and password data, particularly in enterprise environments, could trigger compliance requirements under GDPR, HIPAA, or similar frameworks.
This leak is a serious breach of identity and privilege-related security, underscoring the need for timely de-provisioning, password hygiene, and multi-factor authentication. The exposure of such an LDAP record, especially with access tied to administrative groups, could serve as a direct entry point for ransomware deployment, data exfiltration, or long-term espionage.
Recommendations
For companies affected by this type of breach, the most critical and immediate recommendations are:
- Force Password Resets for all exposed or potentially compromised accounts, especially those with privileged access (e.g., VPN, RDP, domain admin).
- Enforce Multi-Factor Authentication (MFA) across all systems - especially for remote access, email accounts, and administrative interfaces.
- Regenerate and replace any SSO/SAML/OIDC secrets or certificates associated with the compromised LDAP configuration.
- Audit and Revoke Unused or Dormant Accounts to minimize the attack surface and prevent lateral movement.
- Check for Unauthorized Access or suspicious activity in logs - focusing on login attempts, VPN sessions, and system changes. This should include a regular and ongoing review of LDAP logs for suspicious authentication attempts.
- Isolate and Monitor Critical Systems, especially if credentials tied to infrastructure or sensitive data were exposed.
- Patch All Systems and Update Endpoint Protection to prevent reinfection via malware, including credential stealers. Specifically, ensure all Oracle application patches are updated, including Oracle Fusion Middleware.
- Engage Incident Response Experts if any signs of compromise are detected - early containment is essential.
- Microsoft Entra SSO is integrated with Oracle Cloud. Revoke any unauthorized third-party application access granted via Microsoft Entra.
- Review the list of connected apps in Azure AD Enterprise Applications and ensure that no unapproved apps are integrated with critical systems.
- Office 365 credentials were included in the compromised credentials provided earlier. For remediation, please refer to the steps outlined in the Microsoft Knowledge Base: https://learn.microsoft.com/en-us/defender-office-365/responding-to-a-compromised-email-account
- Evaluate potential risks introduced by 3rd party suppliers who may have been affected by this compromise.
These steps are essential to reduce the immediate risk of escalation, including ransomware deployment or further data exfiltration.
Conclusions
The potential leak of sensitive user identities and credentials linked to 128,466 companies underscores the expanding scale and sophistication of today’s cyber threats. Compromised credentials, particularly those granting administrative, VPN, or directory access, represent a serious threat to business operations, data security, and the protection of confidential client information. Information stored in other metadata could provide an attacker with organizational data that could help with targeted phishing attacks.
As always, if you believe you’ve been compromised, Trustwave has a team of DFIR professionals ready to help. Additionally, we offer a Managed Vendor Risk Assessment to help an organization assess supply chain risk with special attention to their suppliers’ use of Oracle and this particular incident.