Oracle Cloud’s Supposed Breach: Why a Threat Actor’s Reputation Can be Tricky

Idan Aharoni

April 13, 2025

On March 22nd 2025, cyber security company CloudSEK published an article on their blog claiming that they had come across a post on the dark web where a threat actor was selling data on 6 million user records from Oracle Cloud’s SSO and LDAP. The post was originally published two days earlier, on March 20th, by a threat actor called “rose87168”.

The article has made quite a splash, with many organizations attempting to understand whether the claims are real and whether they were in the list of affected companies – a list which was also provided by the threat actor. There are several ongoing discussions, including here on LinkedIn, about the authenticity of the claim, as posts on such forums are often exaggerated or outright false. While Oracle has denied being breached, some experts believe the data appears genuine. Considering the scale of Oracle Cloud, it’s natural that many organizations are now scrambling to make sense of the conflicting claims and determine whether the threat actor’s post is credible.

While we are not a dark web monitoring service and do not monitor such forums, we conducted a quick investigation on behalf of a concerned customer and wanted to share our findings and insights. Several cyber security companies have commented on the post’s credibility, referencing the threat actor’s reputation in the forum. “rose87168” has a “God” status in the forum and a positive reputation score of 30. This supposedly lends credence to the validity of the post – but does it really?

Article content — The threat actor’s post, as it appears today

In reality, relying on a user’s reputation in dark web forums to assess the truth of their claims can be misleading, as reputation can be manipulated. The case rose87168 is a good example of that. The forum in which the post was published – BreachForums – allows their users to purchase “upgrades”. These are premium plans that give users additional capabilities, such as editing or deleting posts, change usernames, giving out reputation, and more. The top-tier plan costs 50 Euros and is called “GOD” and among many things, grants the title to any use who purchases it.

Reviewing rose87168’s account, it appears they purchased this plan on March 21st, after making the post. In fact, when looking at the screen shot shared by CloudSEK in their original article, the user did not yet have the reputation score or title.

Looking into the user’s reputation history (which is publicly available on the forum), we found that rose87168’s account received +30 points from a user called “Automation” at the exact same time the “God” status was purchased.

This information – visible on rose87168’s user page, paints a clear picture: the user purchased the “God” tier for the relatively low price of 50 Euros and received a +30 reputation boost automatically from the forum for doing so. This dramatically inflated their reputation in the forum, but it was not earned.

The purpose of this post is not to asset that the Oracle Cloud breach claims are definitely fake, or real. Rather, the goal is to highlight that when assessing the credibility of claims made by threat actors in dark web forums, reputation can help determine it, but one has to be careful of relying on it, as it can be manipulated.

IntelFinder is the most cost effective threat intelligence solution on the market, offering customer-specific and actionable therat intelligence at a fraction of the cost. We cover a wide variety of threats, such as similar domain registration, rogue apps, leaked employee credentials, leaked source code, leaked documents, exposed subdomains and more – all for only $250/month per brand.

IntelFinder is offered with a two weeks free trial – no strings attached and no credit card information required!

Idan Aharoni

TRY INTELFINDER NOW

Let's Be In Touch

Do you prefer talking with us before trying out the service? no problems!