One Click, Six Million Tenants
How a Forgotten Oracle Cloud SSO Key Unlocked Every Customer Vault
In the time it takes a kettle to boil in Austin, a lone attacker used a leaked Java keystore to clone Oracle Cloud's single sign-on cookie—and poured six million customer secrets into a $50k dark-web auction.
Critical Alert
A forgotten Oracle Cloud SSO keystore with default password "changeit" exposed 6 million customer records across 140k tenants, including encrypted OTP seeds and API keys—all exfiltrated in 12 minutes.
When "Single Sign-On" Became "Single Skeleton Key"
| Date (March 2025) | Event |
|---|---|
| 12 Mar 05:49 | Post on cyber-crime forum sells "Oracle Cloud SSO master pack" – JKS keystore + encrypted password vault |
| 12 Mar 06:02 | Buyer ("nexusthief") decrypts keystore with 2020-era default password "changeit" |
| 12 Mar 06:15 | Forge JWT using private RSA key; bearer cookie accepted by global SSO gateway |
| 12 Mar 06:27 | Script loops through 140k tenant IDs; exfiltrates 6M user records (emails, hashed OTP seeds, tenant API keys) |
| 12 Mar 07:01 | AWS S3 sync to rival cloud; bucket set to public-read for 30 min (screenshots later deleted) |
| 12 Mar 08:00 | Oracle revokes key-pair, blocks JWT, opens SEV-1 incident |
| 14 Mar | Dump re-packaged as "OracleCloud-Leak-V3" – $50k asking price on Exploit.in |
| 20 Mar | CISA alert AA25-079A urges all Oracle Cloud customers to rotate API keys & reset MFA |
"We identified unauthorised access to a set of SSO credentials… no evidence that Oracle Cloud Infrastructure services were compromised."
— Oracle Security Bulletin, 13 Mar 2025
Fallout: One Key, Six Million Keys to the Kingdom
Tenants touched – startups, Fortune 500, UK National Health Service (NHSmail)
Unique emails + 160k encrypted OTP seeds → perfect for SIM-swap & MFA bypass
Cryptocurrency mining detected using 4.3k leaked API keys before revocation
NHS suspends Oracle Cloud procurement; 18k staff forced to re-enroll MFA
Kill-Chain Deconstructed: Default Password → Global JWT → Customer Vaults
| MITRE Tactic | Technique | Oracle Cloud Reality |
|---|---|---|
| Initial Access | T1552.004 | JKS file found on public dev-share (open-directory index) |
| Persistence | T1606.002 | Private key signs new JWT; Oracle gateway trusts any JWT signed by that key |
| Discovery | T1083 | Loop tenant IDs 000001 → 140000 via /v1/tenants/{id}/users |
| Collection | T1005 | JSON responses contain email, role, mfaSecret, apiKey |
| Exfiltration | T1567.002 | Rclone sync to external S3; 30-minute public window |
| Impact | T1530 | Dump resold; OTP seeds enable MFA bypass for secondary attacks |
Root Causes: The Kettle Wasn't the Only Thing Boiling Over
- 1
Default keystore password "changeit" – never rotated since 2020 dev deployment
- 2
JKS file stored on public-facing Confluence page – indexed by Google, found via dork
- 3
No certificate pinning on SSO gateway – any JWT signed by private key = trusted
- 4
Tenant enumeration – no rate-limit on /v1/tenants/{id} → 140k IDs scraped in 5 min
- 5
Missing cloud-trail alerts – 6M API calls in 34 min; mean time to detect = 2h 18min
Expert Insight: "The Cloud Is Only as Strong as Its Weakest Key"
"Oracle didn't get breached—a secret got published. In 2025 if your private key lives longer than your kettle stays hot, you're already compromised."
— Tanya Janca, Founder, We Hack Purple
Six NIST Controls That Keep the Kettle (and the Key) Locked Down
Hardware Security Module (HSM)
Store private keys in cloud HSM only; JKS exports disabled
Certificate Pinning + Rotation
Rotate signing certs every 30 days; pin public key fingerprint in gateway
Rate-limit & anomaly detection
>100 tenant calls/min → auto-block IP; SOAR playbook pages on-call
Default-secret scanner
CI/CD gate fails build if "changeit", "password", "admin" detected in config files
Encrypted OTP seeds at rest
AES-256-GCM envelope around TOTP secrets; separate KMS key per tenant
Immutable Cloud-Trail backups
Daily log shipped to WORM S3; 7-year retention for forensic replay
Quick-Start Playbook: What to Do Before the Kettle Whistles Again
Rotate all signing certificates, revoke old keys, force global re-auth
Enable HSM-only key storage; delete local JKS files everywhere
Implement tenant-rate-limiting; CAPTCHA + geo-velocity checks
Purple-team JWT forgery exercise; measure detection → containment time
Automated secret-scan across Confluence, SharePoint, GitHub; break build on default creds
The Kettle Challenge
The attacker needed 12 minutes to loot six million tenants, but the private key's exposure started years earlier—probably while someone waited for water to boil.
If Oracle Cloud's single sign-on can be cloned in kettle-boiling time, ask yourself:
"What am I doing during the time it takes to boil a kettle?"
Verified Sources
- 1.Oracle Cloud SSO breach bulletin Oracle Security Bulletin, 13 Mar 2025
- 2.CISA Alert AA25-079A: Oracle Cloud Key Leak CISA, 20 Mar 2025
- 3.Six million Oracle Cloud customers affected by key leak The Record, 15 Mar 2025
- 4.NHS Wales suspends Oracle Cloud procurement after key breach NHS Wales Digital, 22 Mar 2025
- 5.Class-action complaint vs. Oracle Corp U.S. District Northern California, 01 Apr 2025
Secure Your Cloud SSO from Key Exposure
Don't let default passwords become your company's skeleton key. Get a free cloud security assessment to identify exposed keys and implement proper HSM-based key management.