The extortion crew behind a string of 2026's biggest breaches says it has a new victim. Plus a record-breaking patch haul, a quiet SaaS disclosure, and two of the week's loudest breaches that turned out never to have happened.
The extortion collective ShinyHunters claims it has breached Madison Square Garden Sports, the parent company of the NBA's Knicks and the NHL's Rangers. MSGS has not confirmed anything, and a claim is not a confirmed compromise — but with this crew, the claim is itself a weapon: reputational pressure applied before a single record is verified, and timed for maximum attention.
What makes it land is the pattern around it. The same name is attached to this month's Oracle PeopleSoft zero-day campaign (tracked by Mandiant as UNC6240, hitting 100+ organisations), to McGraw Hill, to the Canvas-maker Instructure — which reportedly paid and got a promise, not protection — and to a string of CRM raids at the likes of Charter and Carnival.
When one name attaches to a dozen unrelated victims, you're not tracking a hacker anymore. You're tracking a business model.
ServiceNow has disclosed a security incident that gave attackers access to customer data, framed in the careful language of "researcher activity." Whatever the framing, it sits inside 2026's most reliable storyline: the breach that starts with one trusting person, not one clever exploit.
The receipts pile up. Carnival traced a roughly six-million-record exposure to a single social-engineered employee account; Charter's "only sales tools" reassurance dissolved into nearly five million records in the wild. CRMs concentrate precisely the data that should never sit in plaintext, and a phone call still opens more doors than any payload.
| CVE / Item | Severity | Product | Status |
|---|---|---|---|
| CVE-2026-35273 | CRITICAL 9.8 | Oracle PeopleSoft | Exploited · 0-day |
| CVE-2026-11645 | CRITICAL | Google Chrome (V8) | Exploited in the wild |
| Patch Tuesday | 208 CVEs | Microsoft (record) | Incl. 1 exploited 0-day |
| RoguePlanet PoC | HIGH | Windows | Public PoC on GitHub |
Two truths in one table. "Record patch month" has quietly become a monthly headline — 208 isn't a spike, it's the new baseline. And the RoguePlanet saga (a banned researcher, "Nightmare Eclipse," reposting a live zero-day hours after Patch Tuesday) is a reminder that disclosure is a human drama no scanner will catch.
This week's most instructive incident is one that didn't occur. Fabricated breach notices naming VRChat (2.4 million users) and Discord (10 million) were filed on Maine's official Attorney General portal and published almost immediately — no verification required. VRChat says it never filed; the employee named on the notice does not exist. Maine pulled the filings on 12 June, called them hoaxes, and took the public portal offline.
Sit with the elegance of it. Security teams, journalists and class-action lawyers treat that portal as ground truth — records propagate into news alerts, risk dashboards and litigation databases within hours. An attacker who plants a false entry manufactures a "confirmed breach" out of nothing: instant phishing pretext, instant stock pressure, instant panic. You no longer need to steal the data. You only need everyone to believe you did.
Read today's edition end to end and the pattern isn't malware — it's belief. A real crew claiming a real target it may not hold. A real vendor admitting a real incident in soft language. A fake breach that fooled the people whose job is not to be fooled. The scarce resource in 2026 isn't a patch; it's verification.
The same convergence runs across the network today: a sports franchise's data allegedly walking out the door, and a gaming community braced all weekend for a leak that never existed. Defence used to mean keeping attackers out. Increasingly it means proving what's actually true, fast enough to matter.