➤Summary
A sample allegedly from a breach of Oracle Cloud infrastructure has surfaced on BreachForums. The leaked material includes an LDAP directory export containing sensitive user information tied to Oracle’s multi-tenant architecture. Here are the samples companies mentioned:
This analysis examines the structure, contents, and implications of the leak, identifies potential attack surfaces, and maps the scope using associated organizational data.
Sample_LDAP.txt
The file includes structured LDAP entries for users in an Oracle Cloud identity store, with attributes consistent with Oracle Identity Management and Fusion Middleware environments.
dn
: Distinguished name indicating tenant structure in dc=cloud,dc=oracle,dc=com
orclmttenantguid
: Same across all users — 11987096172814988
— suggests a single compromised tenantobjectclass
: Includes sensitive Oracle IAM schema classes (orclIDXPerson
, oblixOrgPerson
)authpassword;oid
: Multiple hashed password formats (SASL/MD5, MD5-DN, MD5-U)userpassword::
: Base64 encoded, obfuscated passwordobpasswordexpirydate
: Indicates old credentials (2018-05-24
)tenantadmin
, userreadprivilegeuc
, userwriteprivilegeuc
: Access role information for internal IAM groupsyamlCopyEditName: Pa****ck D*dd
Email: pa*ck_d**d@h**er.com
Tenant: efkd-test
Role: TenantAdminGroup
yamlCopyEditName: Li**a F**s
Email: li**a.f**us@f**p.com
Tenant: efkd-test
Role: Full IAM privileges
More than five users are included, each with similar attributes — implying a test or development environment, but with real user identities.
orclMTTenantGuid
, orclUserWritePrefsPrivilegeGroup
, and Oblix identity management classes — Oracle-specific internal IAM attributes, which are unlikely to be fabricated.authpassword;oid
values are shown in hash formats (MD5-based), MD5 is deprecated, and depending on Oracle’s hashing salt strategy, these could potentially be cracked.All email domains from the leaked LDAP sample do exist in the Oracle-related company list. These domains are:
hitchiner.com
fngp.com
fnst.com
This strongly suggests that all identified users are associated with companies known to Oracle, either as clients, partners, or test users. None of the LDAP domains are missing from the company list. This means no obvious fake/test-only domains like example.com
, test.local
, etc., appear in the sample.
These are the most common domain zones in the breached data:
TLD | Count | Region |
---|---|---|
.com | 70,971 | Global / US-centric |
.br | 4,432 | Brazil |
.jp | 3,424 | Japan |
.net | 3,280 | Global |
.org | 2,876 | Non-profits, EDU |
.de | 2,349 | Germany |
.uk | 2,290 | United Kingdom |
.it | 1,808 | Italy |
.mx | 1,523 | Mexico |
.au | 1,497 | Australia |
Strong international spread — not just North America. This suggests the compromised Oracle environment was used by global clients.
Only 17 domains in the list belong to generic email services (e.g., Gmail, Hotmail, Yahoo, QQ):
Examples include:
gmail.com
(8 mentions)hotmail.com
(4 mentions)icloud.com
, qq.com
, 163.com
, etc.📌 This shows the overwhelming majority of entries are enterprise/company emails, not personal accounts — reinforcing the enterprise nature of this breach.
Some companies appear multiple times in the breach list. A few examples:
Domain | Mentions |
---|---|
gmail.com | 8 |
nov.com | 4 |
ironmountain.com | 2 |
kp.org | 3 |
shelfdrilling.com | 3 |
These may indicate:
efkd-test
) with the same orclMTTenantGuid
. This tenant may be a shared environment or demo account used for multiple client-facing roles or support scenarios.@hitchiner.com
, @fngp.com
, and @fnst.com
might indicate these companies share a joint environment, or Oracle used these domains in QA/dev environments with real partner data.TenantAdminGroup
and full IAM access roles in these user entries implies privileged access — possibly partner-admins or implementation teams.