Cybersecurity Alert – Potential Data Breach of Oracle Cloud

IMPACT: All Firms

Member firms should be aware of an alleged large-scale data breach possibly affecting Oracle Cloud services at firms and third-party providers. FINRA recommends that firms review this information to assess any potential impact to their operations, as well as with third-party providers who provide services to the firm. FINRA previously delivered an email to firms whose domain names appeared in the threat actor post, as well as any firms that previously informed FINRA of their use of Oracle products and services.1

Background

On or around March 20, a threat actor advertised nearly 6 million data records for sale, claiming the data—which included encrypted passwords and password hashes, along with Java Key stores and key files—were derived from Oracle Cloud’s federated Single Sign On (SSO) login servers. If the threat actor’s claim is true, with decrypted passwords, hashes or keys, data stored in the Oracle Cloud Platform could be vulnerable. According to the actor's claim made to Bleeping Computer, the breach may have occurred in or around mid-February 2025. The threat actor posted data samples and a list of 140,000 compromised domain names associated with companies across industries.

CloudSEK first reported the breach on March 21 and concluded the data was present in the data samples—as the threat actor advertised—and reinforced its conclusions via additional analysis. In addition, conversations with the threat actor led CloudSEK to determine that unauthorized access to the data may have been due to a possible vulnerability related to CVE-2021-355872, affecting Oracle Fusion Middleware instances that could allow unauthorized access via Oracle Access Manager. Oracle has thus far refuted that any breach has occurred on its cloud infrastructure.

Representatives from several of the organizations listed in the alleged breach have confirmed data contained within the advertised breach data was genuine and hosted on a production environment of Oracle Cloud, according to Hudson Rock.

The threat actor advised companies could contact them to pay for the removal of their company’s data from the available data trove and solicited offers for other actors to help decrypt or crack passwords in exchange for other zero-day exploits or an offering of data from the breach.

Recommendations to Protect Your Firm

Large-scale data breaches and follow-on attacks continue to target the financial services sector. Firms experiencing a data breach or a data breach’s secondary effects are encouraged to review FINRA’s Effective Practices for Responding to a Cyber Incident.

FINRA encourages member firms that identify data breaches or attempted data breaches to contact your Risk Monitoring Analyst and report them to:

Questions related to this Alert or other cybersecurity-related topics can be emailed to the FINRA Cyber and Analytics Unit (CAU).

Note: This Alert does not create new legal or regulatory requirements or new interpretations of existing requirements, nor does it relieve firms of any existing obligations under federal securities laws, regulations, and FINRA rules. Member firms may consider the information in this Alert in developing new, or modifying existing, policies and procedures that are reasonably designed to achieve compliance with relevant regulatory obligations based on the member firm’s size and business model. Moreover, some information may not be relevant due to certain firms’ business models, sizes, or practices.  

1The research was conducted on domain names known to FINRA, as well as previous disclosures by member firms related to use of specific third-party providers. FINRA cannot confirm if Oracle services or Oracle Cloud is impacted by the threat actor’s claims.
2“CVE” is short for Common Vulnerabilities and Exposures, a list of publicly known cybersecurity vulnerabilities.