Madison Square Garden breach — ShinyHunters vishing into the company's identity platform

incident · incident:msg-shinyhunters-vishing-entra

Coverage timeline

first 2026-06-26 → last 2026-06-26

Briefs

1 distinct

Sources cited

3 hosts

Sections touched

active_threats

Co-occurring entities

see Related entities below

Story timeline

2026-06-26CTI Daily Brief — 2026-06-26
active_threats404 Media confirms vishing→identity-platform initial access; ~45GB/26M records leaked; transferable vishing→identity-platform→MFA-enrollment kill chain

Where this entity is cited

active_threats1

Source distribution

404media.co1 (33%)
abnormal.ai1 (33%)
thenextweb.com1 (33%)

Related entities

Breach at billing processor Unimed exfiltrates ~97,600+ patient records from six German university hospitals (attribution open)
incidentincident:unimed-german-hospitals-2026×1
ShinyHunters lists Charter Communications (Spectrum), claims 42M records; Charter denies sensitive PI/CPNI exfil
incidentitem:shinyhunters-charter-spectrum-listing-42m-claim×1
ShinyHunters Oracle PeopleSoft data-theft campaign (100+ orgs, ~300 instances, education-heavy; Univ. of Nottingham confirmed)
campaigncampaign:shinyhunters-peoplesoft-2026×1
ShinyHunters — financially motivated data-theft group
actoractor:ShinyHunters×1

All cited sources (3)

Items in briefs about Madison Square Garden breach — ShinyHunters vishing into the company's identity platform (1)

ShinyHunters used a single vishing call into the company's identity platform to breach Madison Square Garden

From CTI Daily Brief — 2026-06-26 · published 2026-06-26 · view item permalink →

404 Media's review of the stolen Madison Square Garden data and the attackers' own account confirm the intrusion began with a vishing call — the operators phoned a low-level employee and talked them into letting them into MSG's systems (404 Media, 2026-06-24). Reporting attributes the breach to ShinyHunters; after MSG missed a 15 June ransom deadline, roughly 45 GB / 26M+ records were published (The Next Web, 2026-06-16). The wider pattern this fits — and the one worth detecting — is the vishing → identity-platform (Entra/Okta) → MFA-enrollment → SSO-pivot chain that Abnormal Security documents generically: an IT-impersonation call manufacturing MFA-reset urgency, real-time credential and one-time-code capture on a tenant-branded phishing page, enrollment of an attacker-controlled MFA device, then a pivot into connected SaaS (Abnormal Security, 2026-02-06). Maps to T1566.004 (vishing), T1078.004 (cloud accounts), and T1556.006 (MFA manipulation).

Why it matters to us: the victim is a US private entity, but the kill chain is identity-platform-agnostic and lands the same way against EU public-sector Entra/Okta tenants. Hunt Entra audit logs for new MFA-method registration events correlated with anomalous sign-in geo/user-agent and post-enrollment impossible-travel risk events; the durable control is phishing-resistant FIDO2/passkey MFA that cannot be relayed in real time, plus Conditional Access requiring a compliant device for MFA enrollment.