On March 21, 2025 a significant security incident was reported by CloudSEK, allegedly targeting Oracle Cloud via their identity management system. CloudSEK uncovered that a threat actor, claimed to have stolen 6 million records, potentially affecting over 140,000 tenants.
The alleged attacker is incentivizing decryption assistance, and is demanding that organizations pay for the removal of their data, having reportedly stolen records that include Java KeyStore (JKS) files, encrypted Single Sign-On (SSO) and LDAP passwords, and Enterprise Manager JPS keys. There are demands by the attacker for organizations to pay for removal of data. In the face of these reports Oracle maintains that no customer data has been compromised.
This situation highlights the urgency for organizations to reassess their security measures, including considering creating separation between encryption systems, key management and their SaaS and cloud providers.
What You Need To Know
The Oracle Cloud breach came to light when the attacker, advertised the stolen data records via an internet forum. The individual claimed to have exploited a vulnerability in Oracle Cloud's login infrastructure, specifically CVE-2021-35587. The targeted endpoint was login.(region-name).oraclecloud.com, which is a part of Oracle's Single Sign-On System.
What Data Was Reportedly Compromised?
The compromised data reportedly includes sensitive assets such as Java KeyStore (JKS) files, encrypted Single Sign-On (SSO) and LDAP passwords, and Enterprise Manager JPS keys.
- Java KeyStore (JKS) files: These contain cryptographic keys and certificates crucial for Java applications.
- Encrypted SSO passwords: Used for Single Sign-On, these could allow unauthorized access if decrypted.
- Encrypted LDAP passwords: Essential for directory authentication, these also pose a risk if compromised.
- Enterprise Manager JPS keys: These manage access and encryption within Oracle Enterprise Manager.
Attackers Demand and Oracle's Response
The attacker is demanding that the organizations pay to remove their data from the stolen records. The encrypted nature of SSO and LADP credentials means that currently, they are of limited value - however, the attacker is seeking assistance to decrypt the credentials, offering a bounty to anyone who can assist to decrypt them.
The price for the information has not been disclosed, it is reported by The Register that the attacker contacted Oracle a month prior to let them know about the alleged theft. The attacker demanded $200 million in cryptocurrency in exchange for details, this was allegedly turned down.
Despite the claims, and organizations scrambling to check their security, Oracle has maintained that there has been no customer data compromised.
Why Keeping Your Encryption System at Arms-length Protects Your Data
The reported Oracle Cloud breach highlights a critical vulnerability: even encrypted data stored within cloud platforms can become a liability if attackers compromise authentication systems or encryption key stores. If for example, hosted keystores are breached the attacker could have access to the sensitive data stored within the cloud platform.
A powerful and proactive security measure would be to keep encryption and tokenization systems at arms-length from SaaS or Cloud providers, ensuring sensitive data is protected before it reaches Oracle's servers, rendering stolen information valueless to attackers with no access to keys.
Mitigating Cloud Breach Risk with StatoKey's Zero-Trust Encryption Gateway
Utilizing a product like StratoKey prevents the data from having any value to an attacker that has targeted your SaaS or cloud provider. This is due to StratoKey's unique zero-trust architecture that provides arms-length encryption, securing (end-to-end encrypting) your data prior to transmission to a providers servers.
Securing Your Cloud Platforms With StratoKey
StratoKey provides a software based cloud encryption gateway, encrypting and decrypting information flowing to and from your cloud and SaaS applications. StratoKey lets you continue to use the best cloud products for your organization, whilst securing your sensitive data through:
- Zero-Trust Encryption Architecture: StratoKey supports a zero-trust model by ensuring that data is encrypted/tokenized and controlled independently of the cloud/SaaS provider. This approach limits the impact of breaches by verifying every access attempt and restricting unnecessary access. This ensures that even if cloud systems are breached attackers gain only unusable ciphertext.
- Customer-Controlled Keys: Encryption Keys and authentication processes are managed entirely outside of the providers environment. This separation ensures customers retain full control over data access, eliminating the full reliance on cloud and SaaS platform security.
With StratoKey organizations can transform cloud breaches from potentially significant threats into contained incidents - ensuring operational continuity even when cloud and SaaS platform-level defenses fail. Breaches can have significant and long lasting impacts for organizations that are compromised.
To learn more about how StratoKey can help secure your cloud environment and mitigate breach risk, please contact us or download the StratoKey White Paper.
