Were they breached?
In recent weeks, reports of a potential security breach involving Oracle’s cloud infrastructure have circulated. A hacker named “rose87168” claimed to have infiltrated Oracle’s systems, exfiltrating 6 million sensitive records and potentially affecting over 140,000 Oracle Cloud tenants globally. Despite these assertions and supporting evidence from cybersecurity researchers, Oracle has steadfastly denied any breach, stating that no cloud customer data has been compromised. This situation raises critical questions about cloud security, corporate transparency, and the measures organizations should take to protect their data.
The controversy began when “rose87168” posted on a cybercrime forum, offering data purportedly stolen from Oracle Cloud servers. The hacker alleged that the data included authentication details and encrypted passwords of millions of Oracle Cloud customers. Oracle responded promptly, denying any breach of their cloud infrastructure and asserting that the published credentials were unrelated to Oracle Cloud services. Okay, were they related to any other Oracle services? It’s unclear.
Contrary to Oracle’s denials, several cybersecurity firms have presented analyses suggesting that the breach claims may have merit. For instance, CloudSEK’s investigation indicated that the attacker exploited a known vulnerability (CVE-2021-35587) to access Oracle’s login endpoints, which had not been updated since 2014. Furthermore, Trustwave SpiderLabs reported that the hacker threatened to sell the stolen data, offering multiple purchase options based on company names and credentials. This increasing amount of evidence suggests that Oracle is in denial.
Oracle has maintained a firm stance, reiterating that its systems and customer data are secure. Some industry experts criticize this, arguing that the evidence warrants a more transparent investigation. The conflicting narratives have left Oracle customers uncertain, unsure whether to take additional security measures or rely on the company’s assurances.
In case of a suspected breach, it’s important that you communicate with the affected organization(s). Clear and honest disclosure helps maintain customer trust and allows clients to take necessary precautions to protect their data. In this case, Oracle’s communication seems more designed to avoid semantic traps than address concerns.
Cloud security operates on a shared responsibility model, where the service provider and the customer are responsible for security. While providers must ensure the security of the cloud infrastructure, customers are responsible for securing their data within the cloud. If this alleged breach occurred, it would be Oracle’s responsibility insofar as it affects their cloud infrastructure. There is enough smoke that organizations potentially affected by these incidents should be extra vigilant about their cloud security posture.
To address the risk, immediate actions such as password reset, SASL hash update, and tenant identifier rotation should be taken. Cloud security can be tricky. Security researchers can better fight new threats and keep our digital world safe when communicating and working together. Let’s hope we see more of that in the future.