All native users had password reset. Audit logs show OAT_CLIENT_APPID made the request.
Summary:
Last night, three different times, some weird I.D. made an API call to reset all native user passwords that we have. The I.D. is OAT_CLIENT_APPID. Has anyone had experience with this?
Content (please ensure you mask any confidential information):
Basically what the title says. Last night, an I.D. that we do not have anywhere in our system used admin authority to reset the passwords of every native user we have, three times. We can see this in the OCI console through the various log pulls. The I.P. addresses of the API calls indicate that they originated from Oracle data centers. We do NOT have API management of our IAM service set up. I doublechecked all created applications and user I.D.s just to ensure there wasn't some sort of compromise somewhere in our system where a bad actor had created