Oracle quietly admits data breach, days after lawsuit accused it of cover-up

Security experts warn that the breach fundamentally undermines cloud security assumptions. “Cloud customers were engaged on a bedrock security promise: tenant isolation and segregation contain breaches,” said Sunil Varkey, advisor at Beagle Security. “However, a single hack reportedly exposed 6 million records across 140,000 tenants, and the provider did not even realize the compromise, shattering that illusion.”

Varkey further highlighted the “watering hole” effect created by the breach: “A breached SSO endpoint with a master key isn’t just a data grab; it’s a perfect watering hole. Every tenant logging in, from global enterprises to SMBs, becomes prey. The hacker doesn’t chase them; they come to the trap.”

Threat intelligence firm CloudSEK first reported the breach, identifying a hacker selling six million records allegedly exfiltrated from Oracle Cloud’s Single Sign-On (SSO) and Lightweight Directory Access Protocol (LDAP) systems. Security researchers linked the attack to CVE-2021-35587, a vulnerability in Oracle Access Manager previously flagged by the Cybersecurity and Infrastructure Security Agency (CISA) as a known exploited weakness.