In March 2025, a threat actor claimed to have breached Oracle Cloud's SSO infrastructure. Find out if your organization should take precautionary action.
Here is what we know about the alleged breach and why your organization should still take precautions.
In March 2025, a threat actor claimed to have breached Oracle Cloud's SSO login servers, allegedly accessing over 6 million records including encrypted SSO credentials and Java Keystore (JKS) files.
The alleged attacker claimed to have exfiltrated data from Oracle Cloud's federated SSO infrastructure, which could potentially include LDAP passwords, OAuth2 keys, and tenant configuration data.
Oracle has denied the breach, and no independent verification has confirmed the claims. However, multiple cybersecurity researchers have analyzed samples that the threat actor made available.
Disclaimer: This page is provided for educational and precautionary purposes. We are not confirming or denying the breach. We recommend all Oracle Cloud customers take the precautionary steps outlined below regardless of breach confirmation status.
Our security team will check your organization against known indicators and deliver a report within 24 hours.
Whether or not your organization is confirmed affected, these steps will strengthen your security posture against credential-based attacks.
Credential breaches often cascade across connected services. Make sure your entire environment is secure.