The alleged Oracle Cloud breach, discovered in March 2025, involved the exfiltration of approximately 6 million records affecting over 140,000 tenants1. The threat actor, known as "rose87168," claimed to have exploited a vulnerability (CVE-2021-35587) in Oracle's cloud login infrastructure, specifically targeting the endpoint login.(region-name).oraclecloud.com2. The compromised data reportedly includes Java Key Store (JKS) files, encrypted SSO and LDAP passwords, and Enterprise Manager JPS keys12. Despite Oracle's denial of the breach, multiple customers have confirmed to BleepingComputer that data samples shared by the attacker are valid3, and independent security researchers have corroborated the incident's authenticity45.

The Oracle Health breach, disclosed in late March 2025, compromised patient data at multiple US healthcare organizations and hospitals. Oracle Health, formerly known as Cerner, became aware of unauthorized access to legacy Cerner data migration servers on February 20, 20251. The threat actor used compromised customer credentials to breach the servers sometime after January 22, 2025, and exfiltrated patient information from electronic health records1.

Oracle Health has not publicly disclosed the full extent of the breach, leaving affected healthcare providers responsible for determining HIPAA violations and patient notifications1. This incident highlights the ongoing security challenges faced by healthcare organizations transitioning to cloud-based systems and the potential risks associated with legacy infrastructure during migration processes2. The breach's timing, coinciding with the alleged Oracle Cloud compromise, has intensified scrutiny of Oracle's overall security practices and incident response capabilities34.

The threat actor, known as "rose87168," began selling the allegedly stolen Oracle Cloud data on March 21, 2025, on a dark web forum.12 They claimed to have breached the subdomain login.us2.oraclecloud.com, which was hosting Oracle Fusion Middleware 11G.1 To demonstrate their access, the attacker shared an Archive.org URL containing a text file with their email address, hosted on Oracle's server.3 "rose87168" offered to share data samples with anyone who could help decrypt the stolen credentials and has been actively contacting affected organizations, demanding payment for data removal.41 This aggressive approach has raised concerns about the potential widespread impact of the breach and the security of Oracle's cloud infrastructure.

Oracle's recent security incidents have raised significant concerns about the company's overall cybersecurity posture and incident response capabilities. The alleged breaches of Oracle Cloud and Oracle Health have exposed vulnerabilities in both modern cloud infrastructure and legacy systems, highlighting the challenges of maintaining robust security across diverse technological environments.

• Oracle's use of outdated software, such as Oracle Fusion Middleware 11G on the compromised login.us2.oraclecloud.com subdomain, suggests potential lapses in patch management and system updates12.

• The company's initial denial of the Oracle Cloud breach, despite evidence provided by multiple customers and security researchers, has drawn criticism and raised questions about transparency in incident reporting34.

• The exploitation of CVE-2021-35587, a vulnerability reported in December 2022, indicates delays in addressing known security flaws in critical systems42.

• Oracle's handling of the health data breach, leaving affected healthcare providers to determine HIPAA violations and patient notifications, has been viewed as shifting responsibility onto customers5.

These incidents underscore the need for Oracle to reevaluate and strengthen its security practices, particularly in vulnerability management, system updates, and incident response protocols.