The hackers that stole a large cache of data from Madison Square Garden called a low level employee and tricked them into letting the hackers into MSG’s systems, according to the hackers and 404 Media’s review of the stolen data.
The breach highlights the risk of social engineering over voice calls, sometimes called ‘vishing’. Whereas phishing, where hackers social engineer someone over email or send them a fake login page, has been common for decades, vishing has only become prevalent more recently, especially as young and native English speaking hackers have become a serious cybersecurity threat.
“Employee vishing on their Microsoft Entra,” a member of the hacking group behind the MSG breach, called ShinyHunters, told 404 Media when asked to explain how the group got in. Microsoft Entra is Microsoft’s identity management product, similar to Okta, which lets employees log into whatever tools or services they need to at work.
Last week 404 Media reported hackers had uploaded data stolen from MSG. A sample 404 Media reviewed at the time included files mentioning Knicks-related personalities, with fields such as “address,” “claim to fame,” and “cost of talent.” In some cases the data included a risk score for certain celebrities, with actor, director and Knicks fan Ben Stiller described as “Low Risk” and rapper Boogie with da Hoodie marked “High Risk.”
Since then 404 Media downloaded the full 45GB data dump and found the contents of a specific MSG employee’s OneDrive. It included work documents, photos, screenshots, and other attachments. A folder called “Personal,” contained the employee’s W-2 form, which included their name and other personal information. This indicated that the breach may have originated from this specific employee. 404 Media found a LinkedIn profile under the same name showing this person worked at MSG. 404 Media is not naming the employee for their privacy.
404 Media then asked a member of ShinyHunters how the group breached MSG. The member provided this employee’s name.
When 404 Media asked the ShinyHunters member to elaborate on how the group compromised MSG, they pointed to a May blog post from Microsoft, which they said was “about us.” That post described what Microsoft called a “methodical, sophisticated, and multi-layered attack.” It details another attack—the blog post was published May 18 and the ShinyHunters member said the MSG hack happened on June 5—but there are similarities.
The Microsoft blog post says hackers first targeted specific people to get their Microsoft Entra credentials. The hackers started the Self-Service Password Reset (SSPR) process, and then tricked users into completing the multifactor authentication prompts that appear legitimate, Microsoft said. “For example, the threat actor might impersonate an internal information technology (IT) support representative and contact the user claiming that their account requires urgent verification, instructing them to approve MFA prompts as part of a routine password reset procedure,” the blog post reads.
Once in, the hackers can then pivot onto other apps or systems where data may be stored. In MSG’s case, the dump includes data taken from a SharePoint instance, Microsoft’s sharing and collaboration platform.
The ShinyHunters member didn’t elaborate beyond the blog post, but told 404 Media: “We called the employee and had them do the SSPR process,” referring specifically to the MSG hack.
Law firm Morgan and Morgan has filed a class action lawsuit related to the breach, arguing MSG’s surveillance of visitors led to it. When asked if ShinyHunters targeted MSG because of the venue’s surveillance practices, the member said, “Yes we thought they would pay for that reason but they surprisingly did not.”
MSG did not respond to a request for comment.
404 Media reported this week the data dump contained a dossier on activists who had opposed MSG’s facial recognition program.
