Apr 02, 2025 16:00:00

It is revealed that Oracle is requesting the Internet Archive to delete a serious security incident that occurred in its cloud in an attempt to hide it from customers

On March 21, 2025, a hacker calling himself 'rose87168' stole and sold approximately 6 million customer records from

the single sign-on (SSO) login server of Oracle Cloud , a cloud service provided by American software company Oracle. Oracle has issued a statement that 'no unauthorized access has occurred,' but it has also been reported that Oracle has requested the Internet Archive to delete pages that rose87168 claims are 'evidence of the intrusion.'

Oracle attempt to hide serious cybersecurity incident from customers in Oracle SaaS service | by Kevin Beaumont | Mar, 2025 | DoublePulsar
https://doublepulsar.com/oracle-attempt-to-hide-serious-cybersecurity-incident-from-customers-in-oracle-saas-service-9231c8daff4a

Oracle denies breach after hacker claims theft of 6 million data records

https://www.bleepingcomputer.com/news/security/oracle-denies-data-breach-after-hacker-claims-theft-of-6-million-data-records/

It all began on March 21, 2025, when a threat actor calling himself 'rose87168' claimed on a hacking forum that he had stolen and sold 6 million SSO passwords, keystore files, key files, etc. from Oracle Cloud's SSO login server.

'SSO passwords are encrypted and can be decrypted if we have the files available. We may also be able to crack LDAP hashed passwords,' rose87168 claims. 'We will be creating a list of all the company domains included in this leak. Companies can pay a certain amount to have their employee information removed from the list.'

Rose87168 also claims that he uploaded a text file containing his email address to login.us2.oraclecloud.com, which is controlled by Oracle, and has provided

an Internet Archive URL as evidence.


In response, Oracle issued a statement saying, 'There was no data breach on Oracle Cloud. The credentials exposed by the threat actor in question are not from Oracle Cloud. Therefore, no Oracle Cloud customers are at risk.'

However, according to Medium, Oracle has asked the Internet Archive to remove the archive for this URL. If you actually access the URL, you will see the message 'This URL has been excluded from the Wayback Machine.' You will not be able to view it.

Later, rose87168 published a recording of a roughly hour-and-a-half-long meeting held at Oracle in 2019.

Oracle Unconfirmed Data Breach - Rose87168 claims this video was downloaded from Oracle's servers - YouTube


The meeting also discussed access to Oracle's internal password vault and customer-facing systems.

Rose87168 has also threatened to 'release more data' and has released the latest Oracle configuration files and WebServer configuration files to some journalists. After viewing the data, Midium pointed out that 'it is 100% true that a cybersecurity incident has occurred in a system that processes customer data at Oracle' and 'This is a serious cybersecurity incident that affects customers of platforms managed by Oracle.'

'Oracle is trying to evade responsibility in the Oracle Cloud fiasco. This is unacceptable. Oracle needs to be clear and open about what happened and how it will affect customers,' Midium said.