Oracle Cloud Breach Sparks NCERT Warning: Six Million SSO Credentials Allegedly Compromised
India's National Computer Emergency Response Team (NCERT) has issued a cyber alert regarding an alleged Oracle Cloud breach involving over six million federated login credentials. While Oracle denies the incident, dark web evidence and ongoing phishing attacks suggest otherwise.

The National Computer Emergency Response Team (NCERT) has issued a formal cyber advisory after a hacker, alias “rose87168,” allegedly breached Oracle Cloud systems and leaked sensitive data. The attacker claims to have exfiltrated over six million federated SSO credentials, LDAP authentication data, and corporate identity lists, which are now being sold on dark web forums. Oracle denies the breach, but denial does not equal security.
➣ The breach, if confirmed, would be one of the most significant exposures of federated identity infrastructure to date. Federated SSO acts as a master key across platforms. Once compromised, attackers can bypass multiple layers of security via credential stuffing or privilege escalation. That risk is now active.
NCERT’s advisory cites critical vulnerabilities in SSO authentication mechanisms and LDAP misconfigurations common weak points when enterprises scale identity management without auditing configurations. The hacker claims access began 40 days prior, implying multiple attack windows before discovery. Phishing campaigns are already targeting affected companies using leaked credentials to gain deeper footholds.
Credential theft at this scale doesn’t just pose a threat to Oracle Cloud users. It introduces a cascading risk to all connected platforms AWS, Microsoft 365, Salesforce via compromised identity tokens.
What’s worse: encrypted SSO passwords are reportedly vulnerable to brute-force decryption, stripping away any illusion of residual safety. Meanwhile, Oracle's refusal to acknowledge the breach mirrors the same playbook used by major tech vendors whenever attribution might damage investor confidence. Denial serves corporate liability, not user protection.
The NCERT advisory pushes immediate countermeasures:
- Reset all federated SSO credentials
- Enforce Multi-Factor Authentication (MFA)
- Conduct full internal audits of LDAP configurations and access controls
- Monitor authentication logs and threat indicators in real-time
Security teams must treat this breach as ongoing. Reactive posturing is insufficient when credentials are already in circulation and phishing operations are exploiting the lag.
If you’re using Oracle Cloud or federated login services through it, assume compromise until you can prove otherwise. Oracle’s denials offer zero assurance without transparency or forensic verification. This is not a question of trust it’s a question of exposure.