Potential Oracle Cloud Breach

Update: On April 16, 2025 the Cybersecurity & Infrastructure Security Agency (CISA) Released Guidance on Credential Risks Associated with Potential Legacy Oracle Cloud Compromise. The alert and CISA recommendations can be found here- 

CISA Releases Guidance on Credential Risks Associated with Potential Legacy Oracle Cloud Compromise 

CISA recommends the following actions to reduce the risks associated with potential credential compromise: 

For Organizations:

• Reset passwords for any known affected users across enterprise services, particularly where local credentials may not be federated through enterprise identity solutions.  
• Review source code, infrastructure-as-code templates, automation scripts, and configuration files for hardcoded or embedded credentials and replace them with secure authentication methods supported by centralized secret management.
• Monitor authentication logs for anomalous activity, especially involving privileged, service, or federated identity accounts, and assess whether additional credentials (such as API keys and shared accounts) may be associated with any known impacted identities.
• Enforce phishing-resistant multi-factor authentication (MFA) for all user and administrator accounts wherever technically feasible.
• For additional information for or on Cloud security best practices please review the following Cybersecurity Information Sheets: CISA and NSA Release Cybersecurity Information Sheets on Cloud Security Best Practices.

For Users:

• Immediately update any potentially affected passwords that may have been reused across other platforms or services.
• Use strong, unique passwords for each account and enable phishing-resistant multifactor authentication (MFA) on services and applications that support it. For more information on using strong passwords, see CISA’s Use Strong Passwords web page. For more information on phishing-resistant MFA see CISA’s Implementing Phishing-Resistant MFA Fact Sheet.
• Remain alert against phishing attempts (e.g., referencing login issues, password resets, or suspicious activity notifications) and reference Phishing Guidance: Stopping the Attack Cycle at Phase One.

Clearwater’s Security Operations Center (SOC) will continue assessing the situation and monitoring for updates. In our early alert below, you can check if your organization’s web or email domain has been compromised.

————————————————————————————————————————————————————-

What we currently know, 03/24/2025

There has been recent activity around a potential Oracle Cloud breach. Samples of allegedly stolen info from Oracle Cloud are open for sale, touting 6 million records extracted. This data appeared on March 21, 2025, with the threat actor claiming to have gained access by hacking the login endpoint. The data posted includes Java Keystore (JKS) files, encrypted SSO passwords, key files, and enterprise manager Java Process Status (JPS) keys.

Clearwater is actively monitoring this supply-chain threat and assessing all updates on this situation. As of this post, Oracle denies any compromise.

Our recommendation is to take precautions against any leaked passwords with the following actions:

• For all users, ensure the passwords, keys, secrets, and hash values associated with Oracle Cloud Apps are immediately changed
• Update all SSO and LDAP integrations
• Enable MFA to access all Oracle Cloud Apps

Below, you can check if your organization’s web or email domain has been compromised using a tool developed by Clearwater’s Managed Security Services team. 

We will continue monitoring the situation and post updates to this page as new information becomes available. If your organization’s web or email domain is compromised, or if you need immediate help assessing this potential risk, feel free to contact us.