A new security controversy has emerged with Oracle Corp. at its center after a hacker claimed to have breached the company’s cloud infrastructure and exfiltrated sensitive data. Although Oracle has denied any breach, some cybersecurity researchers say the evidence suggests otherwise.

The story starts like all good hacking stories do, on the infamous hacking forum BreachForums. A hacker going by the name “rose87168” claimed on March 20 to have exploited a critical vulnerability in Oracle Access Manager to gain access to Oracle Cloud Infrastructure. The hacker claimed to have stolen more than 6 million records tied to more than 140,000 tenants, comprising credentials, OAuth2 keys and internal tenant configurations.

When reports first emerged a week ago, a spokesperson for Oracle told The Register that “there has been no breach of Oracle Cloud” and that “the published credentials are not for the Oracle Cloud. No Oracle Cloud customers experienced a breach or lost any data.”

But both the hacker and now security experts are saying otherwise. According to research undertaken by Trustwave Holdings Inc., the threat actor offered multiple purchasing options for the allegedly stolen data, including bundles categorized by company name and credential type. The actor also provided samples to support their claims, including a database with personally identifiable information, LDAP records and a list of potentially affected companies.

Trustwave’s threat intelligence team notes that the structure and content of the sample data appeared consistent with real environments, particularly those using Oracle’s SSO and LDAP systems. If authentic, this would suggest significant exposure of sensitive credentials that could lead to further exploitation through phishing or unauthorized access.

In its March 25 blog post, Trustwave emphasized that Oracle’s denials have not been supported by detailed technical counter-evidence. The firm advises customers not to dismiss the claims outright, particularly given that some affected users have confirmed portions of the leaked data are valid.

Other researchers suggest that it was a legitimate breach as well. Jake Williams, a faculty member at IANS Research and vice president of research and development at Hunter Strategy, told Cybersecurity Dive that he has “little doubt” that a compromise of Oracle’s environment took place. “There is direct evidence that a threat actor was able to upload data to the web root of a login server that was being actively used, so it can’t just be a ‘legacy endpoint’ as some have suggested,” said Williams.

Though Oracle is still denying that any breach took place and the scope of the breach, if it actually took place, is still unclear, the risk to affected enterprises may be substantial if the hacker’s claims are proven true.

Per Trustwave’s advice, organizations should take proactive steps to be on the safe side, including rotating potentially exposed credentials, enabling multifactor authentication and increasing monitoring for suspicious activity.

Image: SiliconANGLE/Reve