Oracle Corp (NYSE: ORCL) is facing mounting questions about the security of its cloud infrastructure following allegations that a trove of sensitive login credentials and configuration data was stolen and leaked online.

The company has denied any breach occurred.

However, cybersecurity researchers and multiple enterprise customers have reviewed the data and say it appears legitimate, pointing to potential exposure across Oracle Cloud’s Single Sign-On (SSO) and identity management systems.

The controversy began in late March, when a threat actor using the alias “rose87168” claimed responsibility for the alleged breach, asserting they exploited a known vulnerability CVE-2021-35587, in Oracle Access Manager, a key component of Oracle’s identity infrastructure. The hacker claimed to have accessed login credentials and sensitive data from more than 140,000 tenants, totaling around six million records.

The dataset reportedly includes SSO credentials, LDAP passwords, tenant IDs, and private certificates — details that could, if genuine, enable lateral movement within enterprise environments and facilitate future cyberattacks.

Response and Industry Pushback

Oracle was quick to issue a denial, stating that “no Oracle Cloud customers experienced a breach or lost any data” and that the leaked credentials “are not for the Oracle Cloud.” The company has not released a technical explanation or independent assessment to support its position, and has remained publicly silent on follow-up questions.

That stance has drawn criticism from security experts, who say the evidence warrants closer inspection.

Cybersecurity firm CloudSEK, which analyzed a 10,000-line sample of the leaked data, said the structure and content align with production Oracle Cloud environments. The dataset reportedly includes real configuration files, valid authentication keys, and metadata consistent with live customer deployments.

Hudson Rock, another firm that reviewed the material, echoed those findings. And according to BleepingComputer, several affected organizations have confirmed their credentials were part of the leaked data, casting further doubt on Oracle’s denial.

The threat actor has not made the full database public but is reportedly offering it for sale via dark web channels.

Vendor and Enterprise Precautions

Amid the uncertainty, several technology vendors are urging caution. Palo Alto Networks and Rapid7 have advised customers to rotate credentials associated with Oracle services and review integrations for suspicious activity.

Many enterprise security teams have reportedly launched internal audits and tightened monitoring around Oracle-connected systems. While no major downstream incidents have yet been linked to the leaked credentials, security professionals warn that compromised authentication data could fuel future supply chain or ransomware attacks.

The response from industry players contrasts sharply with Oracle’s own.

“The risk here isn’t just whether there was a breach, it’s whether organizations have the information they need to protect themselves,” one security analyst told Cybersecurity Dive.

A Second Breach Raises More Questions

Complicating the situation are new allegations involving Oracle Health, the company’s healthcare IT division formed following its 2022 acquisition of Cerner. According to a report from Ars Technica, Oracle may be investigating a separate incident in which patient data from several U.S. hospitals was accessed.

Oracle has not commented on these new claims.

The potential for two concurrent incidents, one affecting enterprise identity infrastructure, the other involving protected health information, has led some in the security community to call for a broader investigation.

Whether the two are connected remains unclear, but the lack of disclosure on either front has amplified frustration among analysts and customers alike.

Broader Implications for Cloud Security

If the data proves authentic, the Oracle case may become a landmark example of the lingering risks associated with unpatched vulnerabilities. CVE-2021-35587, the alleged attack vector, was patched by Oracle in late 2021.

Yet if even a small number of Oracle-managed or customer-integrated systems remained unpatched, the damage could be far-reaching.

The situation also reflects a broader trend in cloud security, where customers rely heavily on providers not only for uptime and infrastructure, but for accurate, timely communication when incidents arise. Analysts say Oracle’s refusal to engage publicly beyond its initial statement may erode customer confidence and encourage stricter scrutiny of cloud vendor relationships.

The Bottom Line

As of April 1, 2025, Oracle’s official stance remains unchanged: no breach, no data loss, no compromise. But the growing body of independent analysis, along with confirmations from organizations listed in the leaked dataset, paints a more complex picture.

With enterprise vendors taking defensive measures, cybersecurity firms continuing to investigate, and a possible second incident in the healthcare sector under review, Oracle’s response may face increasing pressure in the days ahead.

For now, the breach remains publicly unconfirmed, but far from closed.