Madison Square Garden confirms breach linked to Oracle EBS campaign
Context and chronology
A prominent entertainment operator, Madison Square Garden, has acknowledged that customer records were taken during a broader campaign exploiting vulnerabilities in Oracle E-Business Suite. Independent threat actors attributed to the campaign moved data out of a vendor-hosted instance in August 2025, then publicly associated several victims months later. The firm began notifying affected individuals after verifying the compromise and the type of data removed, which included full names and Social Security numbers; the company linked the incident to its externally managed EBS environment rather than internal systems.
The intrusions are tied to a high-profile extortion group whose operation has hit a broad swath of enterprises using the same enterprise management platform, impacting more than a hundred organizations across sectors. Attackers leveraged zero-day weaknesses to access hosted databases, then exfiltrated records for leverage; at least one state regulator has received formal notification showing a localized count of affected residents. The operator declined to pay, and the adversary subsequently released data for some victims, complicating remediation and notification obligations for the company and its vendor.
This episode crystallizes several operational failures in managed-service deployments: delayed detection within hosted stacks, fragile vendor segmentation, and asymmetric consequences when critical PII is stored in broadly used ERP modules. The disclosure timeline — theft in late summer 2025, public naming in autumn, and acknowledgement in early 2026 — highlights the gap between compromise and corporate confirmation that regulators and class-action lawyers now exploit. Stakeholders must treat hosted enterprise suites as high-value targets rather than peripheral IT components.
Read Our Expert Analysis
Create an account or login for free to unlock our expert analysis and key takeaways for this development.
By continuing, you agree to receive marketing communications and our weekly newsletter. You can opt-out at any time.
Recommended for you
Cl0p Forces Silence from Major Firms After Oracle EBS Extortion
The Cl0p extortion campaign has posted over 100 alleged Oracle EBS targets, including several global firms that have not acknowledged impact; at least one large operator (Madison Square Garden) has publicly confirmed customer records were taken. Visible archives include roughly 2 TB and 870 GB collections linked by metadata to Broadcom and Estée Lauder, while parallel intrusions and supply‑chain vectors reported elsewhere complicate attribution and raise broader vendor and archival‑data risk.
Investigation Links ShinyHunters to Broad Vishing Campaign Targeting Over 100 Organizations
Researchers say a coordinated campaign combined telephone-based social engineering with browser-resident phishing toolkits to target more than 100 organisations across sectors, manipulating live authentication sessions to bypass MFA and SSO protections. A contemporaneous but separate infostealer disclosure — an unsecured cache of roughly 149 million credential pairs captured from endpoints — heightens the risk of credential-stuffing and targeted vishing, complicating response and containment.
Magento Hit by Mass Defacement Campaign
A wide defacement campaign leveraged an unauthenticated file‑upload vector to mark thousands of Magento storefronts, hitting over 7,500 sites and some 15,000 hostnames. Security firms flagged a related REST API flaw named PolyShell, warning that public exploit code will drive automated attacks in the coming weeks.
LexisNexis breach exposes legacy datasets, raises cloud-hygiene alarm
LexisNexis confirmed an intrusion that exposed legacy files and identifiers, with the attacker alleging exploitation of React2Shell and weak cloud controls. Immediate risks include exposed credentials, roughly 400,000 personal records, and elevated regulatory and insurance scrutiny — a pattern echoed by recent large-scale exfiltrations where fast operational recovery did not eliminate downstream fraud and identity risk.
Oracle issues emergency patch for Identity Manager remote-code flaw
Oracle released an out-of-cycle fix for CVE-2026-21992 , a critical unauthenticated remote-code risk in Identity Manager and Web Services Manager . Security teams should assume a compressed remediation window (CVSS 9.8 ) and prioritize emergency patching plus short-term network isolation and focused hunting.
ManoMano: Support-Portal Breach Exposes Millions of Customer Records
ManoMano confirmed a support‑channel compromise tied to a third‑party supplier that a threat actor claims exposed ~37.8 million accounts and ~43 GB of support data. Corroborating incidents show attackers increasingly combine support‑system intrusions with credential caches and real‑time session orchestration—raising immediate risks from phishing, MFA bypass, and long‑tail credential‑stuffing and intensifying EU cross‑border regulatory exposure.
Global cyber-espionage campaign breaches sensitive targets in 37 countries
A coordinated, long-duration hacking campaign has established persistent access to high-value government and diplomatic networks in 37 countries, prioritizing intelligence collection over immediate disruption. The operation leverages polymorphic tooling, credential harvesting and social-engineering techniques that complicate detection and raise urgent needs for identity-focused defenses and cross-border incident coordination.
Global: Over 1,400 Internet‑Accessible MongoDB Instances Compromised in Low‑Value Extortion Campaign
Threat researchers at Flare found roughly 1,416 publicly reachable MongoDB instances altered by an extortion campaign that replaced data with payment demands. Although attackers sought about $500 per victim in cryptocurrency, blockchain checks show only around $400 in receipts, indicating limited financial success despite wide exposure.