CISA Issues Warning Over Oracle Cloud Credential Leak
The US Cybersecurity and Infrastructure Security Agency (CISA) has warned organisations that a January breach of two obsolete Oracle Cloud servers may expose millions of credentials.
• Oracle privately told customers that its core Oracle Cloud Infrastructure (OCI) was not compromised, but attackers accessed usernames from legacy Single-Sign-On and LDAP servers.
• A hacker calling themselves “rose87168” is now selling six million stolen records — including encrypted passwords, key files and other sensitive data affecting roughly 140,000 Oracle tenants.
• CISA says leaked credentials could enable long-term, unauthorised access, phishing and business-email-compromise campaigns; it urges firms to reset passwords, review source code, and monitor authentication logs.
• The FBI and CrowdStrike are investigating. Oracle has not commented publicly, although at least three customers have confirmed their data is in the leak.
Although Oracle insists its mainstream Oracle Cloud Infrastructure (OCI) remains untouched, threat actor “rose87168” is offering six million usernames, encrypted passwords and key files for sale online. Cyber experts believe the trove was lifted from outdated Single-Sign-On and LDAP systems inherited from Oracle’s earlier platforms.
Why it matters
• Wide impact – More than 140,000 Oracle tenants across multiple industries may be at risk.
• Credential abuse – Exposed usernames and keys can fuel phishing, privilege escalation and long-term network intrusions.
• Silent persistence – Embedded credentials are notoriously hard to spot, giving attackers months of undetected access.
CISA’s advice
1. Reset passwords for every affected Oracle service.
2. Audit source code for hard-coded credentials.
3. Watch logs for unusual log-ins or privilege changes.
4. Report incidents to national authorities without delay.
The FBI and incident-response firm CrowdStrike are investigating the breach. Oracle declined to comment on CISA’s notice, but several customers have confirmed their details appear in the leaked database. Organisations running legacy Oracle services should act swiftly to cut off potential back-doors.