Threat Intelligence Report: Suspected Oracle Breach – Sample Leak Analysis

by

Cybersecurity Analyst
in

Overview

A sample allegedly from a breach of Oracle Cloud infrastructure has surfaced on BreachForums. The leaked material includes an LDAP directory export containing sensitive user information tied to Oracle’s multi-tenant architecture. Here are the samples companies mentioned:

Company.List-1Download

This analysis examines the structure, contents, and implications of the leak, identifies potential attack surfaces, and maps the scope using associated organizational data.

Leak Structure & Content Breakdown

1. Source File: Sample_LDAP.txt

The file includes structured LDAP entries for users in an Oracle Cloud identity store, with attributes consistent with Oracle Identity Management and Fusion Middleware environments.

Key Attributes Extracted:

  • dn: Distinguished name indicating tenant structure in dc=cloud,dc=oracle,dc=com
  • orclmttenantguid: Same across all users — 11987096172814988 — suggests a single compromised tenant
  • objectclass: Includes sensitive Oracle IAM schema classes (orclIDXPerson, oblixOrgPerson)
  • authpassword;oid: Multiple hashed password formats (SASL/MD5, MD5-DN, MD5-U)
  • userpassword::: Base64 encoded, obfuscated password
  • obpasswordexpirydate: Indicates old credentials (2018-05-24)
  • tenantadmin, userreadprivilegeuc, userwriteprivilegeuc: Access role information for internal IAM groups

User Info Examples:

yamlCopyEditName: Pa****ck D*dd
Email: pa*ck_d**d@h**er.com
Tenant: efkd-test
Role: TenantAdminGroup
yamlCopyEditName: Li**a F**s
Email: li**a.f**us@f**p.com
Tenant: efkd-test
Role: Full IAM privileges

More than five users are included, each with similar attributes — implying a test or development environment, but with real user identities.

Technical Assessment

Evidence of Real Oracle IAM Environment

  • The LDAP schema includes orclMTTenantGuid, orclUserWritePrefsPrivilegeGroup, and Oblix identity management classes — Oracle-specific internal IAM attributes, which are unlikely to be fabricated.

Passwords not in plaintext

  • Although authpassword;oid values are shown in hash formats (MD5-based), MD5 is deprecated, and depending on Oracle’s hashing salt strategy, these could potentially be cracked.

Stale Credentials?

  • The password expiry dates suggest this environment has not been actively maintained since 2018, raising the possibility this is a legacy tenant or a data snapshot from a dev/test backup.

Cross-Mapping to Known Organizations

Affected Companies (Found in the Company List)

All email domains from the leaked LDAP sample do exist in the Oracle-related company list. These domains are:

  • hitchiner.com
  • fngp.com
  • fnst.com

This strongly suggests that all identified users are associated with companies known to Oracle, either as clients, partners, or test users. None of the LDAP domains are missing from the company list. This means no obvious fake/test-only domains like example.com, test.local, etc., appear in the sample.

Company Footprint Analysis

Total Data Scope

  • Total entries: 140,621 domain mentions
  • Unique companies affected: 128,466
  • Duplicated domains: 11,310 domains appeared more than once — likely due to:
    • Multiple user accounts
    • Multi-tenant overlaps
    • Repeated organizational listings in IAM systems

Top-Level Domain (TLD) Analysis

These are the most common domain zones in the breached data:

TLDCountRegion
.com70,971Global / US-centric
.br4,432Brazil
.jp3,424Japan
.net3,280Global
.org2,876Non-profits, EDU
.de2,349Germany
.uk2,290United Kingdom
.it1,808Italy
.mx1,523Mexico
.au1,497Australia

Strong international spread — not just North America. This suggests the compromised Oracle environment was used by global clients.

Free & Personal Email Providers

Only 17 domains in the list belong to generic email services (e.g., Gmail, Hotmail, Yahoo, QQ):

Examples include:

  • gmail.com (8 mentions)
  • hotmail.com (4 mentions)
  • icloud.com, qq.com, 163.com, etc.

📌 This shows the overwhelming majority of entries are enterprise/company emails, not personal accounts — reinforcing the enterprise nature of this breach.

Duplicate Domains (Sample)

Some companies appear multiple times in the breach list. A few examples:

DomainMentions
gmail.com8
nov.com4
ironmountain.com2
kp.org3
shelfdrilling.com3

These may indicate:

  • IAM groups across departments or regions
  • Multiple users tied to one org
  • Possible test vs prod duplication inside Oracle’s infrastructure

Takeaways

  • This was not a superficial scrape — the list is too broad, diverse, and enterprise-focused.
  • Oracle’s IAM data breach affected a massive international client base across sectors (tech, logistics, education, healthcare, manufacturing, etc.).
  • The presence of repeated entries and global spread suggests the source environment may have been a shared multi-tenant Oracle Cloud IAM instance or a misconfigured global reporting snapshot.

Additional Insights

  • All users are part of the same tenant (efkd-test) with the same orclMTTenantGuid. This tenant may be a shared environment or demo account used for multiple client-facing roles or support scenarios.
  • The consistent use of @hitchiner.com, @fngp.com, and @fnst.com might indicate these companies share a joint environment, or Oracle used these domains in QA/dev environments with real partner data.
  • The presence of TenantAdminGroup and full IAM access roles in these user entries implies privileged access — possibly partner-admins or implementation teams.

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *