Oracle continues to publicly deny that a hacker breached its systems and leaked six million customer records, including sensitive information. But threat researchers allege that data including key files and encrypted single sign-on (SSO) passwords for up to 140,000 Oracle Cloud tenants has been leaked – and the incident has triggered its first class action suit.

The case, filed on March 31 by Florida-based law firm Shamis & Gentile for plaintiff Michael Toikach and 100+ others, alleges that despite Oracle's "promise in its Privacy Policies to report all data breaches to customers 'without undue delay', Defendant has failed to notify Plaintiff and Class members of the Breach for over two months and counting. The Data Breach occurred as a direct result of Defendant’s failure to implement and follow basic security procedures, and its failure to follow its own policies."

Cybersecurity company Trustwave, meanwhile, says its analysis of a sample of the leaked data shows it includes “a substantial amount of sensitive IAM data associated with a user within an Oracle Cloud multi-tenant environment [with] administrative role assignments” among other worrying claims. The data includes a vast trove of hashed passwords using SASL/MD5 mechanisms that Trustwave says "raises significant concerns.

"Although hashed, these entries can still be susceptible to offline brute-force or dictionary attacks - especially if salts are not used or the hashing scheme is outdated," the company warned last week.

See also: CIA CIO La’Naia Jones on AI and the spy agency's tech priorities

Security researcher Kevin Beaumont, meanwhile, wrote on March 31st that “multiple Oracle cloud customers have reached out to me to say Oracle have now confirmed a breach of their services. They are only doing so verbally, they will not write anything down, so they’re setting up meetings with large customers who query” – an extraordinary approach that potentially puts those who do not proactively reach out at real risk. 

Oracle breach: "Absolute denialism"

The allegations first surfaced after a threat actor going by the handle of @rose87168 claimed to have breached Oracle services inside oraclecloud.com – with Bleeping Computer first reporting on the alleged breach on March 21. The threat actor has since posted evidence suggesting that they had “write” access to login.us2.oraclecloud.com; a service using Oracle Access Manager on a server managed by Oracle. 

Indian security firm CloudSEK suggests that the data dump includes:

  • "~6 million lines of data dumped from Oracle Cloud’s SSO and LDAP that include
    • JKS files, 
    • encrypted SSO passwords, 
    • key files,
    • enterprise manager JPS keys."

CloudSEK's team note that the subdomain the attacker has suggested was their access point for the attack was hosting Oracle fusion middleware 11G. That is known (if not patched) to have a critical (CVSS 9.8) pre-auth RCE vulnerability affecting the software's OpenSSO Agent that is the CVE description calls an "easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Access Manager."

When reporting on that vulnerability (allocated  CVE-2022–21445) back in 2022, The Stack revealed that despite its criticality and easy exploitability it sat unpatched by Oracle for over six months after two Vietnamese security researchers disclosed it to the software company under the ZDI bug bounty programme. The security researchers in question told us at the time that they breached a vital Oracle domain using the exploit in an effort to drive home its severity, after failing to get a response – and that Dell and Starbucks had been among those with exposed systems at the time.

Mattel CISO Tom Le commented on LinkedIn: “I don't understand how Oracle can categorically deny that no breach occurred in public statements to journalists, yet Oracle account teams are conducting customer meetings with an incident response demeanor… 

He added: “Even if this wasn't a direct breach but instead is an indirect access vector (via brute force decryption on SSO / LDAP hashes or session tokens), Oracle’s absolute denialism doesn't inspire confidence should a customer expect transparency in a future cyber incident.”

Oracle has been contacted for comment.

Affected? Been contacted by Oracle? Share your views by email or Signal @Targett.11

Join peers following The Stack on LinkedIn

The link has been copied!