Demo Request
Take a personalized product tour with a member of our team to see how we can help make your existing security teams and tools more effective within minutes.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Home
Blog
Oracle Breach: Preparing for Identity Attacks on OCI and Beyond

Oracle Breach: Preparing for Identity Attacks on OCI and Beyond

Kate Turchin
Updated
March 28, 2025
May 7, 2025
4 minutes
Ready to Close the SaaS Security Gap?
Chat with us

Last week, a threat actor by the name of ‘rose87168’ claimed to have breached Oracle Cloud Infrastructure (OCI) servers and began selling the alleged authentication data and encrypted passwords of 6 million users.

The threat actor also said that stolen SSO and LDAP passwords could be decrypted using the info in the stolen files, and offered to share some of the data with anyone who could help recover them.

What does this mean for businesses?

If what the attacker is saying is true, malicious actors may have their hands on what are essentially front door keys to thousands of OCI environments – they may even be able to bypass MFA and SSO. For OCI users, that means a high risk of unauthorized access and data breaches via compromised identities.

Identities Are Your Perimeter

The 2024 Verizon Data Breach Investigation Report found that 80% of cyber attacks involve stolen credentials, increasing 71% from the previous year. The cybercrime market has seen a sixfold increase in credentials stolen via malware and offered for sale. And one report found that use of stolen credentials and phishing are among the top 10 most-discussed topics in cybercriminals forums.

Attackers don’t need to burn a zero day when they can walk through the front door. And walking through the front door is exactly what they are doing. Many of the largest breaches over the last couple of years all stemmed from identity attacks:

  • Change Healthcare (2024): Attackers used stolen credentials to access Change Healthcare's network. Then they deployed ransomware that encrypted files and exfiltrated an estimated 6 terabytes of data, affecting an estimated 100 million individuals.
  • Snowflake (2024): Attackers obtained stolen credentials that were stored unencrypted on a Snowflake worker’s Jira account. Then, they accessed Snowflake instances through accounts not configured with MFA. The attack affected Ticketmaster, AT&T, Santander, and more and exposed over 28 million credit card numbers.
  • The U.S. Treasury Department (2024): It’s not just human identities, but also non-human identities that can expose companies to breaches. In this breach, attackers exploited an exposed API key attached to a BeyondTrust service account to access the Treasury Department’s system and steal sensitive information.

Mitigations for OCI Users

For OCI users who may have their credentials exposed, here are some immediate actions companies should take to protect themselves.

Mandatory Password Reset: Make sure all employees create new, complex passwords.

Enforce MFA: Audit your MFA policies and ensure stringent enforcement across all users, including guest accounts.

Rotate access keys and tokens - Replace all API keys, OAuth tokens, and any other authentication credentials associated with your Oracle Cloud accounts.

Review IAM permissions - Audit your Identity and Access Management configurations to ensure users have only the minimum necessary permissions. Remove any unnecessary privileged access.

Monitor for suspicious activity - Increase logging and monitoring of Oracle Cloud activities, looking for unusual access patterns, unexpected geographic locations, or off-hours usage. Also look for unusual data transfer patterns.

Check for unauthorized account modifications - Verify no unauthorized changes have been made to account settings, security configurations, or user permissions.

Broader Implications for SaaS Security

You should always vet potential vendors before bringing them on. Third-party risk management solutions like SecurityScorecard can help you assess the security posture of your vendor partners so you can make an informed decision about entering into a relationship with them.

However, even the most reputable vendors, such as Oracle and Snowflake, are at risk of security issues that could impact your organization. Therefore, it’s best to operate with a Zero Trust philosophy: assume your vendors can’t be trusted to protect your credentials and take it upon yourself to monitor identities rigorously.

How Reco Can Help with Identity Security

Reco can help you secure your SaaS identities across your entire SaaS stack. Here’s how Reco can help:

Identity Threat Detection and Response (ITDR): Reco monitors for suspicious behavior on the identity level and alerts on signs of compromise in real time. Get notified on impossible travel, excessive login attempts, suspicious downloads, privilege escalation, or off-hours activity that may indicate malicious intent.

→ Read Next: How Reco Uses Identity Analytics to Detect Sophisticated Threats (Blog)

Identity Consolidation: Every individual at your organization will populate 10+ unique SaaS identities, making identities difficult to manage. Reco uses machine learning to consolidate SaaS identities so you can monitor, track, and investigate identity behaviors across multiple SaaS apps. This streamlines investigations and allows Reco to piece together behavior sequences and flag suspicious activity that may not look suspicious if you’re only looking at one app (ex:. login from France in one tool right after login from the US)

SSO Management and Enforcement: Although SSO has been widely embraced, tracking and managing SSO enforcement across your environment is difficult with traditional tools. Reco provides visibility into which apps have SSO enforced, and which do not, so you can ensure comprehensive enforcement.

MFA Enforcement: Reco’s recent report found that, despite industry wide embrace of MFA, 9.5% of accounts still don’t have MFA enforced. Reco provides visibility into all your identities that don’t have MFA enforced so you can swiftly remediate this.

Shadow SaaS discovery: Reco’s research team found that organizations have an average of 490 apps connected to their environment, with 26% of those being shadow apps not monitored by security. The shadow SaaS ecosystem represents a large attack surface that most organizations don’t account for. Reco discovers all your apps so you can unauthorize risky apps and monitor and manage the ones you choose to support.

Reco SaaS Identity Alerts

Secure Your SaaS Identities with Reco Today

Identity attacks are growing in frequency. The OCI breach is a reminder that even our most trusted software providers can expose our credentials. Protect your entire SaaS stack from identity attacks with Reco. Schedule a demo today.

No items found.

Kate Turchin

ABOUT THE AUTHOR

Kate Turchin is the Director of Demand Generation at Reco.

Technical Review by:
Gal Nakash
Technical Review by:
Kate Turchin

Kate Turchin is the Director of Demand Generation at Reco.

Request a Demo
Ready to Close the SaaS Security Gap?
Chat with us
Table of Contents
Overview
Get the Latest SaaS Security Insights
Subscribe to receive updates on the latest cyber security attacks and trends in SaaS Security.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Explore Related Posts

6 min read
Cyber Attack
Malicious Extensions That Lock You Out While They Steal Your Session
Dr. Tal Shapira
April 1, 2026
Five malicious Chrome extensions disguised as enterprise productivity tools stole session tokens from Workday, NetSuite, and SuccessFactors while simultaneously blocking admins from revoking access or resetting credentials. The attack exposed a blind spot in SaaS security: the browser, where stolen session cookies render SSO and MFA irrelevant.
8 min read
AI Governance
Why the Hidden Cost of AI Sprawl Is Rising in Modern Enterprises
Gal Nakash
April 1, 2026
AI adoption is accelerating across modern enterprises, but the rapid growth of AI tools and agents often introduces hidden operational and security risks. This article explores the hidden cost of AI sprawl, including duplicate tools, fragmented workflows, and expanding SaaS integrations. It also outlines practical frameworks and best practices that help organizations detect uncontrolled AI adoption and maintain visibility, governance, and security across enterprise environments.
6 min read
SaaS Security
Model Context Protocol (MCP) Is Rewiring SaaS Trust, One Agent Action at a Time
Gal Nakash
March 31, 2026
The Model Context Protocol (MCP) is an emerging standard that enables AI agents to seamlessly connect with SaaS tools and APIs, allowing them to perform actions like fetching files, updating records, and sending messages autonomously. However, this power introduces significant security risks, including identity drift, weak authentication, data leakage, and invisible access that bypasses traditional monitoring. Organizations can mitigate these risks by enforcing least-privilege OAuth scopes, using short-lived tokens, binding agents to human owners, and adopting platforms that provide continuous visibility into MCP-based trust paths.
See more featured resources

Ready for SaaS Security that can keep up?

Request a demo
Reco is the leader in Dynamic SaaS Security — the only approach that eliminates the growing gap between what you can protect and what’s outpacing your security. Reco keeps pace with SaaS sprawl, no matter how fast it evolves, by covering the entire SaaS lifecycle — cradle to grave.
Request a demo
Chat with us
Chat with us
Memberships
Accreditations
AICPA for RecoAICPA for RecoReco - ISO 27001Reco - ISO 27001Reco - ISO 27001
Platform
Posture ManagementApp Discovery & GovernanceIdentity & Access GovernanceThreat Detection & ResponseData Exposure ManagementShadow App DiscoveryGenerative AI DiscoveryAgentic AI SecurityReco AI AgentsAI Governance and SecuritySaaS App Factory™
Use Cases
Shadow SaaS DetectionSaaS Ticketing WorkflowUnsanctioned Apps ControlSaaS OffboardingCustom Policy StudioShadow AI DiscoveryIdentity Governance ComplianceAI-Powered SaaS Security Insights
Integrations By App
All Supported ApplicationsSalesforceMicrosoft 365Google WorkspaceServiceNowWorkday
ServiceNow
soon
SlackOktaVeeva
Resources
BlogLearnIT HubCustomer StoriesWebinarsCompareSSPM ReportCISO GuideFinancial GuideHealthcare GuideSalesforce GuideMicrosoft GuideAI Security GuideShadow AI GuideState of SaaS Security ReportThe State of Shadow AI ReportResource Center
Company
About Reco
Careers
Hiring
NewsroomBrand GuidelinesPartnersTrust CenterContact Us
Top Content
SaaS SecurityWhat is SSPMCISO Hub
Use Cases
Detect Shadow SaaSSaaS Ticketing WorkflowUnsanctioned Apps ControlSaaS OffboardingCustom Policy StudioShadow AI DiscoveryEnsure Identity Governance ComplianceAI Powered SaaS Security Insights
Memberships
Accreditations
AICPA for RecoAICPA for RecoReco - ISO 27001Reco - ISO 27001Reco - ISO 27001
TermsPrivacy
© 2026 Reco. All Rights Reserved.