Madison Square Garden confirms breach linked to Oracle EBS campaign
Context and chronology
A prominent entertainment operator, Madison Square Garden, has acknowledged that customer records were taken during a broader campaign exploiting vulnerabilities in Oracle E-Business Suite. Independent threat actors attributed to the campaign moved data out of a vendor-hosted instance in August 2025, then publicly associated several victims months later. The firm began notifying affected individuals after verifying the compromise and the type of data removed, which included full names and Social Security numbers; the company linked the incident to its externally managed EBS environment rather than internal systems.
The intrusions are tied to a high-profile extortion group whose operation has hit a broad swath of enterprises using the same enterprise management platform, impacting more than a hundred organizations across sectors. Attackers leveraged zero-day weaknesses to access hosted databases, then exfiltrated records for leverage; at least one state regulator has received formal notification showing a localized count of affected residents. The operator declined to pay, and the adversary subsequently released data for some victims, complicating remediation and notification obligations for the company and its vendor.
This episode crystallizes several operational failures in managed-service deployments: delayed detection within hosted stacks, fragile vendor segmentation, and asymmetric consequences when critical PII is stored in broadly used ERP modules. The disclosure timeline — theft in late summer 2025, public naming in autumn, and acknowledgement in early 2026 — highlights the gap between compromise and corporate confirmation that regulators and class-action lawyers now exploit. Stakeholders must treat hosted enterprise suites as high-value targets rather than peripheral IT components.
Read Our Expert Analysis
Create an account or login for free to unlock our expert analysis and key takeaways for this development.
By continuing, you agree to receive marketing communications and our weekly newsletter. You can opt-out at any time.
Recommended for you
Investigation Links ShinyHunters to Broad Vishing Campaign Targeting Over 100 Organizations
Researchers say a coordinated campaign combined telephone-based social engineering with browser-resident phishing toolkits to target more than 100 organisations across sectors, manipulating live authentication sessions to bypass MFA and SSO protections. A contemporaneous but separate infostealer disclosure — an unsecured cache of roughly 149 million credential pairs captured from endpoints — heightens the risk of credential-stuffing and targeted vishing, complicating response and containment.
ManoMano: Support-Portal Breach Exposes Millions of Customer Records
ManoMano confirmed a support‑channel compromise tied to a third‑party supplier that a threat actor claims exposed ~37.8 million accounts and ~43 GB of support data. Corroborating incidents show attackers increasingly combine support‑system intrusions with credential caches and real‑time session orchestration—raising immediate risks from phishing, MFA bypass, and long‑tail credential‑stuffing and intensifying EU cross‑border regulatory exposure.
Global cyber-espionage campaign breaches sensitive targets in 37 countries
A coordinated, long-duration hacking campaign has established persistent access to high-value government and diplomatic networks in 37 countries, prioritizing intelligence collection over immediate disruption. The operation leverages polymorphic tooling, credential harvesting and social-engineering techniques that complicate detection and raise urgent needs for identity-focused defenses and cross-border incident coordination.
Global: Over 1,400 Internet‑Accessible MongoDB Instances Compromised in Low‑Value Extortion Campaign
Threat researchers at Flare found roughly 1,416 publicly reachable MongoDB instances altered by an extortion campaign that replaced data with payment demands. Although attackers sought about $500 per victim in cryptocurrency, blockchain checks show only around $400 in receipts, indicating limited financial success despite wide exposure.
ApolloMD Data Breach Exposes PHI for Over 626,000 Individuals
A late‑May 2025 intrusion into ApolloMD’s systems led to the unauthorized access and copying of personally identifiable and clinical information for about 626,540 people, with some files containing Social Security numbers; the incident was later posted to a ransomware-linked leak site. ApolloMD reported the event to federal health authorities, began mailing breach notifications by September 2025 and is offering affected parties complimentary credit monitoring, highlighting broader third‑party risk in health data aggregation.
U.S. Panera Bread Customer Data Dumped After ShinyHunters Exploit Microsoft Entra SSO
ShinyHunters published a large archive of customer contact data it says was taken from Panera Bread after a failed extortion attempt, claiming about 5.1 million unique email addresses within an asserted 14 million-record haul. Researchers say the Panera intrusion matches a wider, telephone-based social-engineering trend—real-time vishing paired with browser phishing toolkits—and a separate unsecured infostealer cache of roughly 149 million credentials that together amplify risks of credential stuffing and targeted account takeover.
Google disrupts UNC2814 GridTide espionage campaign
Google and partners dismantled a cloud‑hosted espionage operation that used spreadsheets and SaaS APIs as covert command channels, attributed to the actor UNC2814 and a backdoor called GridTide . The takedown affects at least 53 organizations across 42 countries and highlights an accelerating trend: cloud services are becoming primary vectors for stealthy state‑linked intrusions.
Ransomware strike at Ingram Micro exposes sensitive records of ~42,500 people
A July ransomware incident at Ingram Micro led to the theft of employment and applicant records for about 42,521 people and service outages that were largely resolved within a week. A threat actor later published roughly 3.5 TB of claimed data; the company is offering two years of identity protection while facing regulatory notification, legal exposure, and heightened supply‑chain scrutiny.