There are perhaps 10,000 reasons to doubt Oracle Cloud's security breach denial

Oracle Cloud's denial of a digital break-in is now in clear dispute. A infosec researcher working on validating claims that the cloud provider's login servers were compromised earlier this year says some customers have confirmed data allegedly stolen and leaked from the database giant is genuine.

Since Oracle rubbished reports of a security breach, rose87168, the individual who claimed responsibility for the alleged intrusion and theft of approximately six million records – customer security keys, encrypted credentials, LDAP entries, and other data – sent a 10,000-line sample of the collection to Alon Gal, co-founder and CTO at security shop Hudson Rock.

Gal said he took the sample and reached out to multiple Hudson Rock customers who appeared to be affected. Three customers have since confirmed the data handed to Gal by rose87168 from Oracle Cloud's internal systems is genuine, according to the CTO.

One customer, we're told, said its users are in the sample set, and have access to sensitive information. Another concurred, claiming the data is legitimate and from a production environment though it dates back to 2023.A third Hudson Rock customer said their users and tenant IDs match those in the sample, and that they are used in their production environment.

The Register reported over the weekend Oracle was denying the claims made by rose87168 late last week that the netizen breached Oracle's login servers using a vulnerability and stole the aforementioned customer security keys and other sensitive data.

"There has been no breach of Oracle Cloud," Oracle said. "The published credentials are not for the Oracle Cloud. No Oracle Cloud customers experienced a breach or lost any data."

In addition to providing researchers with a sample of the sensitive data they allegedly stole from the IT titan, rose87168 also demonstrated they were able to create a text file, archived here, on a public-facing Oracle-owned web server as proof of their intrusion and the heist. That file contained rose87168's email address, seemingly to show they did indeed have access to the login server.

Infosec outfit CloudSEK speculated rose87168 appeared to have exploited CVE-2021-35587, a critical vulnerability in Oracle Access Manager that would have given the miscreant access to the kinds of credentials and other data said to have been siphoned. That would mean Oracle failed to patch a hole in its own software on its own infrastructure.

Along with Gal, CloudSEK said on Tuesday the same 10,000-line sample of data was sent to its staff, and appeared to cover more than 1,500 affected organizations.

CloudSEK said after looking at the sample, "the volume and structure of the leaked information make it extremely difficult to fabricate, reinforcing the credibility of the breach."

If the data is genuine, as some infosec watchers suggest it is, the potential consequences of it falling into the wrong hands are serious and substantial.

With access to data such as customers' digital security certificates and keys, SSO and LDAP passwords, and more, cyber-criminals could take that and use it to carry out supply chain and ransomware attacks, among others.

The SSO and LDAP passwords are encrypted, and according to BreachForums posts made by rose87168, the alleged thief has been unsuccessful in breaking the hashes. However, they offered a free portion of the data to anyone who could help.

The price for the entire trove of data isn't known, but rose87168 said they'd happily accept cash or zero-day exploits for their trouble.

Experts are advising organizations who have any suspicion that they may be affected to rotate their SSO and LDAP credentials, and ensure strong password policies and MFA are in place. Triggering an incident response plan is also a good idea to check whether any unauthorized intrusions have taken place.

The Register asked Oracle for a response to the latest developments from CloudSEK and Hudson Rock, and it did not immediately respond. ®