Let me preface this with this was a dormant account with no instances set up, and I put it into place maybe 4 or 5 years ago while getting into the Self Hosted space. I don’t recall if I had MFA setup, but don’t think I did as it was a test space. In fact, I forgot I even had it up until now.

So this weekend, we were out of town and I get this alert from Oracle Cloud saying that my account was locked with a password reset link/ This was set to an email I’ve had since 2004 and has been sold many many times on the dark web as evidenced by the amount of SPAM I get on it and as my monitoring services confirm. I figured it was a weak ploy at a fishing to get my credentials so I ignored it. Then about 3 or 4 or so minutes later, the account was unlocked with another email to confirm this. (Without my touching anything)

So, last night when I returned home, I went to Oracle ignoring the email links and used my browse’s address bar. To no surprise of my own, I can’t log in or reset my credentials. Somehow, the attackers were able to exploit their platform to intercept the password reset and change everything to their credentials.

It’s no real loss on my end honestly, Oracle had an old canceled debit card number for re-occurring billing if I should have ever used their services anyway. It just bugs me that they allowed it to happen so easily. Having the lack of MFA, I’m sure didn’t help the matter, but honestly, what gets me the most - their password reset email and the one saying it was unlocked with no links or contact information to correct the situation if this was incorrect. Further proof on my end that oracle doesn’t care about anything other than the money grab.

tl:dr My lack of MFA enabled hackers to attack my formerly dormant and forgotten Oracle account, and locked me out and Oracle doesn’t seem to mind.

  • Perhyte@lemmy.world
    link
    fedilink
    English
    arrow-up
    2
    ·
    1 year ago

    It’s possible your e-mail account was compromised, and that’s how they were able to click that confirmation link you ignored. Change your e-mail password.

    • node815@lemmy.worldOP
      link
      fedilink
      English
      arrow-up
      2
      ·
      1 year ago

      I have MFA enabled on that account have had it there for years. :) (2FA + Webauth) Password already updated too. :) That email I know has been all over the dark web based on my monitoring alerts and know it’s been used. All of my important user accounts with that email were changed to a new one 6 or so months ago. I just forgot about this one and like I said, never really used it anyway. :)