Oracle Cloud Breach: 10,000 Records Leaked, Sensitive Data at Risk

Listen to this Post

A significant breach involving Oracle Cloud has come to light, with 10,000 records allegedly leaked by a user named ‘rose87168.’ Initial validation from Hudson Rock’s customers confirms the presence of exposed user accounts, some accessing sensitive data—debunking assumptions of a test environment compromise.

Key Findings from the Breach

  1. User Accounts Confirmed: Verified Oracle Cloud users listed in the leaked data exist.
  2. Tenant IDs Under Scrutiny: Active tenant validation is ongoing, but infrastructure ties to production systems.
  3. Sensitive Data Exposure: Multiple accounts have access to critical data, raising severe security concerns.

You Should Know: Oracle Cloud Security Practices & Mitigation Steps

1. Verify Oracle Cloud User Sessions

Check active sessions and permissions using Oracle CLI:

oci iam user list --all 
oci iam session list --user-id <USER_OCID> 

#### **2. Audit Tenant Access**

List tenants and validate their environments:

oci iam tenant list --compartment-id <COMPARTMENT_OCID> 

#### **3. Detect Unauthorized Access**

Enable Oracle Cloud Guard and review logs:

oci cloud-guard detector-recipe list --compartment-id <COMPARTMENT_OCID> 
oci logging log list --compartment-id <COMPARTMENT_OCID> 

#### **4. Isolate Compromised Accounts**

Revoke suspicious sessions and reset credentials:

oci iam user update --user-id <USER_OCID> --force-password-reset true 

#### **5. Check for Data Exfiltration**

Monitor Data Safe for anomalies:

oci data-safe security-assessment list --compartment-id <COMPARTMENT_OCID> 

### **What Undercode Say**

The Oracle Cloud breach underscores the need for rigorous IAM policies, multi-factor authentication (MFA), and continuous log auditing. Key actions:
Linux/Mac: Use `grep` to parse Oracle logs:

grep "authentication failure" /var/log/oracle-cloud.log 

Windows: Query event logs via PowerShell:

Get-WinEvent -LogName "OracleCloud" | Where-Object {$_.ID -eq "4625"} 

Network Lockdown: Restrict Oracle API endpoints via iptables/nftables:

sudo iptables -A INPUT -p tcp --dport 443 -s oraclecloud.com -j ACCEPT 

**Expected Output**:

USER_OCID TENANT_OCID STATUS 
ocid1.user.abc123 ocid1.tenant.def456 ACTIVE 

Reference: Oracle Cloud Security Docs

References:

Reported By: Alon Gal – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

Join Our Cyber World:

💬 Whatsapp | 💬 TelegramFeatured Image