Last updated: July 5, 2026 at 9:01 AM UTC
All 557 Vulnerability 199 Breach 106 Threat 245 Defense 7
Tag: vishing (6 articles)Clear

ShinyHunters leaks Madison Square Garden Sports data on nearly 10 million people

The extortion group ShinyHunters has published data stolen from Madison Square Garden Sports, owner of the New York Knicks and Rangers, after the company did not pay. Have I Been Pwned indexed 9,796,738 unique email addresses spanning staff and customers, alongside extensive personal, employment, and customer-relationship records including names, addresses, phone numbers, and some dates of birth. Reporting on the leak describes an internal "Talent" file profiling former players, executives' family members, and celebrities, in some cases with so-called threat assessments. The intrusion reportedly began with voice-phishing of staff, the same social-engineering pattern behind ShinyHunters' wider 2026 campaign against large enterprises.

Check
People who interacted with Madison Square Garden venues or teams should check Have I Been Pwned for their email and watch for targeted phishing or fraud referencing tickets, accounts, or events.
Affected
Staff and customers of Madison Square Garden Sports whose contact and personal data was exposed (9,796,738 emails); high-profile individuals named in internal files face heightened targeting and impersonation risk.
Fix
Reset and avoid reusing affected account passwords, enable phishing-resistant MFA, and stay alert to convincing phishing. Organizations should harden help desks against voice-phishing with strict caller-identity verification.

Silent Ransom Group hits law firms with fake IT support calls

Mandiant has detailed how the extortion crew Silent Ransom Group (also tracked as Luna Moth and UNC3753) is breaking into US law firms and other professional-services companies through phone calls rather than malware. Attackers send a harmless-looking invoice or data-migration email, then call the target pretending to be internal IT support, talk them into starting a screen-share, and get them to install a remote management tool that hands over access. From there, Mandiant has seen data located, staged, and stolen in under an hour. The group skips encryption entirely, instead threatening to leak stolen files unless paid. A recent FBI alert added in-person office visits to the playbook.

Check
Review RMM and remote-access tool installs from the past month tied to inbound IT support calls, and flag invoice or data-migration emails sent from consumer addresses.
Affected
US law firms and financial and professional-services organizations whose staff can be phoned and talked into screen-sharing or installing remote management software.
Fix
Require staff to verify any IT support contact through a known internal channel before granting access, restrict who can install RMM tools, and enforce phishing-resistant MFA.

Charter Communications confirms ShinyHunters breach: 40M records via vishing-compromised Microsoft Entra employee account and Salesforce export

US broadband giant Charter Communications has confirmed a data breach after the ShinyHunters extortion group listed it on its Tor leak site claiming 40 million stolen consumer and business records. ShinyHunters told BleepingComputer the intrusion began April 1 via a vishing attack that compromised an employee's Microsoft Entra account, used to export records from the company's Salesforce instance. Stolen data reportedly includes names, email addresses, addresses, phone numbers, plan information, and some CPNI (Customer Proprietary Network Information). Charter publicly denies CPNI was taken. ShinyHunters' SaaS-extortion playbook continues: Salesforce + Entra/Okta SSO + BPO vishing is the same model used against Instructure and others.

Check
Audit Microsoft Entra and Salesforce admin sign-ins for unusual IPs and large record exports around April 1, 2026. Search service-account activity for bulk data pulls.
Affected
Charter Communications/Spectrum customers (consumer and business). ShinyHunters claims 40M records exfiltrated via vishing of an Entra account. Broader: any org with Salesforce + Entra/Okta SSO + BPO support.
Fix
Enforce phishing-resistant MFA on every Entra account, especially help-desk and BPO identities. Apply Salesforce Shield Event Monitoring to alert on bulk exports. Train BPO/help-desk staff against vishing.

Two new cybercrime crews are calling employees, getting their MFA codes by phone, then stealing data from SaaS apps within hours

CrowdStrike disclosed two cybercrime groups - Cordial Spider and Snarky Spider - running fast SaaS extortion attacks that stay almost entirely inside legitimate SaaS environments. The pattern: call employees pretending to be IT support, walk them through an 'MFA reset' that's actually a credential-harvesting site that mimics their company's branding, capture the password and MFA code, then immediately log into SSO and pivot through Microsoft 365, Salesforce, and other SaaS apps. The attackers register their own device for MFA and exfiltrate data within hours. Both groups overlap with the broader ShinyHunters ecosystem (UNC6240/UNC6661/UNC6671).

Check
Run a vishing-specific awareness exercise this week. Tell every employee that real IT will never ask them to read out an MFA code over the phone or enter it on a website during a call.
Affected
Organizations with SSO across Microsoft 365, Salesforce, Okta, Google Workspace, or similar SaaS where one set of credentials reaches multiple apps. Acute risk for help-desk-heavy enterprises (financial services, healthcare, large retail) where IT calls feel routine. Any company with a public corporate logo and SSO landing page is in the target pool.
Fix
Make it policy that IT never asks for MFA codes by phone. Require step-up authentication for any MFA registration change. Alert on new MFA device registrations from unfamiliar IPs. In Microsoft 365, monitor for OAuth grants to ToogleBox Recall and similar inbox-rule apps - these were used by Cordial Spider to delete security alerts. Use Mandiant's published IoCs to block known credential-harvesting domains.

ADT confirms breach after ShinyHunters claims 10 million records stolen via vishing-compromised Okta SSO and Salesforce exfil

ADT, the largest US home security company, filed an SEC 8-K on April 24 confirming a breach detected April 20. ShinyHunters listed ADT on its 'pay or leak' portal claiming over 10 million records with an April 27 deadline. ADT says the dataset was limited to names, phone numbers, addresses, plus DOBs and last-four SSN/Tax IDs for a small subset; no payment data was accessed and alarm systems were unaffected. Initial access was a vishing attack against an employee that compromised an Okta SSO session, which attackers used to reach ADT's Salesforce - the same playbook ShinyHunters ran against Carnival.

Check
If you run Salesforce behind Okta or another SSO, audit conditional-access policies this week and assume vishing-driven session-hijack is a credible vector for your tenant.
Affected
ADT customers, particularly the prospective customers confirmed in the dataset. From a security standpoint: any organization using Salesforce behind SSO without device-bound auth or per-session re-auth on bulk exports. The pattern across ShinyHunters victims (Carnival, ADT, Zara, 7-Eleven) shows MFA alone does not stop this group once help-desk vishing succeeds.
Fix
Brief frontline staff on the vishing pattern: spoofed VoIP, attacker poses as IT, walks user through MFA enrollment. Run a tabletop. In Okta and Entra ID, alert on new device registrations and on bulk Salesforce exports outside business hours. Tighten Permission Set Groups for bulk exports. Consider FIDO2 or platform passkeys for any role with bulk customer-data access.

New extortion group 'BlackFile' running seven-figure ransom campaigns against retail and hospitality via vishing-driven SSO compromise and Salesforce/SharePoint scraping

Palo Alto's Unit 42 and the Retail & Hospitality ISAC outed a new financially-motivated group tracked as BlackFile (CL-CRI-1116, UNC6671, Cordial Spider) running data-theft extortion against retail and hospitality since February 2026 with seven-figure ransoms. The playbook: spoofed-VoIP vishing, attackers posing as IT helpdesk, victims routed to phishing pages capturing Microsoft Entra/Okta/Google SSO credentials, attackers then register their own devices to bypass MFA and pivot into Salesforce and SharePoint. Unit 42 links the group to 'The Com' and notes it has used swatting against non-paying victims. TTPs overlap heavily with ShinyHunters and Scattered Spider.

Check
Brief IT helpdesk staff this week on the BlackFile vishing pattern and run a tabletop on a help-desk-driven SSO compromise of one named individual.
Affected
Retail and hospitality are named target sectors but the playbook is industry-agnostic. Acute risk: any organization where helpdesk staff can re-enroll MFA devices over the phone without out-of-band caller verification. SaaS environments where users can perform bulk Salesforce report exports, SharePoint downloads, or Microsoft Graph queries without secondary controls.
Fix
Require manager confirmation on a separate channel for any MFA or password reset on high-privilege accounts. Disable phone-based helpdesk MFA reset for accounts with bulk-data access. In Okta and Entra, alert on new device registrations from unseen locations. In Salesforce, scope bulk export rights via Permission Set Groups and alert on Bulk API usage outside business hours.