On March 21, 2025, an attacker named rose87168 reported having broken into Oracle's authentication endpoints and was prepared to sell the exfiltrated data. The exploit resulted in the attacker(s) copying single sign-on (SSO) credentials, Lightweight Directory Access Protocol (LDAP) passwords, OAuth2 keys, Java Platform Security (JPS) keys, and other tenant data. The method of exploitation has been investigated by cybersecurity firms and was confirmed by Cloudsec on March 27, 2025. This document provides an overview of steps to protect your organization and your third-party network, along with a brief summary of our investigation and mitigation efforts.

Overview: Key Information for TPRM Teams

Oracle Cloud is a cloud computing service offered by Oracle Corporation, providing Infrastructure as a Service (IaaS), Platform as a Service (PaaS), and Software as a Service (SaaS) solutions. It is designed to help businesses run applications, store data, and manage computing resources efficiently. Oracle Cloud specializes in enterprise applications, databases, analytics, and security solutions, making it a good choice for organizations looking for scalable, high-performance cloud solutions. Oracle Cloud integrates seamlessly with Oracle products like Oracle Database and ERP systems.

Impact and Remediation Steps

If your organization was using Oracle Cloud before March 31, 2025 you may be affected by this breach.

Step 1: Determine if you are at risk.

If you are using Oracle Cloud. Reach out to Oracle or search for any notifications
Confirm whether any of your critical vendors are at risk from this incident, and document what they have done to mitigate their risk (if applicable).
Whistic has published a questionnaire to help you assess your vendors that may be impacted by this Oracle vulnerability.

Step 2: Promptly implement mitigating actions.

Make sure your team is aware of the breach and whether it applies to your organization.
If impacted, immediately change all primary passwords to sufficiently long and complex passwords/passphrases (12+ characters, including numbers and symbols).
Rotate SSO and LDAP private keys.

Does this affect Whistic?

Whistic does not use Oracle Cloud, and this breach does not impact our organization

Best Practices for Confirmed or Suspected Vendor Breaches

Whistic customers benefit from customized questionnaires built to quickly assess specific vulnerabilities across the vendor supply chain. But whatever TPRM platform, tool, or process your business utilizes, here are some critical steps to incorporate in the event of a possible incident involving third or fourth parties:

Confirm and classify the incident

Validate the breach through trusted sources; these may include trusted news sources, cybersecurity consultants, real-time risk rating agencies/solutions, or ongoing internal audits.
Determine if your vendor is directly impacted or if the threat is downstream (fourth party).
Classify the potential impact by cataloging the systems, data types, and data volumes that may be compromised; determine the regulatory scope of the incident.

Put your incident response plan into motion

Coordinate with all internal stakeholders that make up your incident response team; this may include IT, InfoSec, Legal, Compliance, and the Executive team.
Launch third-party incident response protocol according.

Contact the vendor

Request information regarding the scope, timeline, affected data, and vendor remediation plans for the incident
Request specific documentation that includes a full incident report and forensic analysis.

Assess your own exposure

Diagnose your own systems to understand what data or services were involved and scope their business criticality.
Consult your vendor inventory to understand integrations and access levels that may relate to the compromised vendor or systems.

Communicate with internal and external stakeholders

Maintain clear lines of communication and regular check-ins with leadership teams.
Prepare communications for your affected teams, customers, and regulators should that prove necessary.

Monitor for related threats

Increase vigilance for other suspicious activity that may relate to the core incident or breach to ensure containment of the impact.
Consult threat intelligence sources to gain a better view of the scope, as well as glean any real-time responses that can support your efforts.

Review vendor contracts and SLAs

Confirm breach response/notification timelines and obligations included in any contract language.
Determine whether the vendor met contractual security obligations.

Document everything

Maintain a timeline of events, communications, and decisions throughout the incident response process.
Provide this information (along with anything additionally requested) to your Compliance, Audit, and Legal teams.

Update risk management practices

Conduct a post-incident review of your response plan, as well as your overall risk-management processes, to ensure they measure up to your current risk profile or appetite.
Evaluate monitoring/assessment/remediation tools and platforms you currently use to ensure they meet your current needs.
Re-evaluate your approach to vendor risk management; this may entail updating your reassessment cadence, revisiting contract language, or updating your risk-ranking criteria.

Whistic Delivers Trust Through Transparency to Identify, Remediate, and Respond to Threats

At Whistic, we’re committed to helping teams respond to uncertainty with speed, clarity, and confidence. Our AI-first platform makes it easier to:

Discover potential downstream exposure to vulnerabilities quickly with threat-specific questionnaires in our ever-growing library of standards and frameworks.
Automate risk reassessments with AI-powered Assessment Copilot so you can conduct more thorough assessments of more vendors more often to prevent future incidents before they happen.
Proactively build trust with stakeholders and meet regulatory compliance requirements more easily.

We'll continue to monitor the Oracle situation and provide updates to our customers. You can also learn more about gaining access to Whistic's library of standards and frameworks or automating your vendor assessment process.