In March 2025, a threat actor known as ‘rose87168’ advertised on BreachForums the sale of approximately 6 million records allegedly stolen from Oracle Cloud’s federated SSO login servers. The attacker posted sample data and offered to sell the database for $200 million, or exchange it for information on decrypting the hashed passwords. Oracle initially denied the breach occurred, stating ‘Oracle Cloud has not experienced a security breach.’ However, multiple security researchers verified that the sample data appeared authentic, matching real Oracle Cloud customer domains and encrypted credentials. The attacker provided evidence including creating a specific file on an Oracle server and sharing a 2024-era archive.org URL of the targeted oracle.com subdomain (login.us2.oraclecloud.com) running an allegedly vulnerable version. The breach appeared to leverage CVE-2021-35587 — an Oracle Fusion Middleware Access Manager vulnerability — against a server that had not been patched. Oracle privately notified some customers of the breach despite public denial. The stolen data included Java KeyStore (JKS) files, encrypted SSO passwords, and LDAP hashes for Oracle Cloud customers. Multiple cybersecurity companies including CrowdStrike and CloudSEK confirmed elements of the breach. Oracle’s continued public denial while privately notifying customers drew significant criticism. The incident was investigated by the FBI and CISA.