ShinyHunters Claims 26M Records From Madison Square Garden

Madison Square Garden Sports Corp., the company behind the New York Knicks and New York Rangers, is facing a public extortion attempt from ShinyHunters—one of the most prolific data theft groups operating today. The attackers claim to have stolen over 26 million customer records and set a final deadline of June 15, 2026 for the company to negotiate before they begin leaking data.

What ShinyHunters Claims to Have

According to posts on underground forums and the group's communication channels, the stolen data allegedly includes:

• Customer personally identifiable information (PII)
• Internal corporate documents
• Records spanning MSG's ticketing and event operations

The threat actor warned in their public statement: "This is a final warning to reach out by 15 June 2026 before we leak along with several annoying digital problems."

MSG Sports has not publicly confirmed or denied the breach. The company operates Madison Square Garden arena, Radio City Music Hall, and holds ownership stakes in multiple professional sports franchises.

ShinyHunters' Growing Enterprise Target List

This isn't ShinyHunters' first high-profile target in 2026. The group was recently linked to the Oracle PeopleSoft exploitation campaign that compromised over 100 organizations through CVE-2026-35273. That campaign, attributed to the group under the UNC6240 designation by Mandiant, specifically targeted HR, payroll, and financial data—suggesting the actors have refined their focus on extracting valuable corporate records.

ShinyHunters first gained notoriety in 2020 with breaches affecting Microsoft, Tokopedia, and Wishbone. Since then, the group has evolved from opportunistic database theft into what security researchers describe as a "ransomware-adjacent" operation that combines data exfiltration with extortion demands.

The MSG Attack Vector Remains Unknown

Neither MSG nor security researchers have disclosed how the attackers gained initial access. Given ShinyHunters' recent exploitation of the PeopleSoft vulnerability, organizations running Oracle enterprise software should treat this as a reminder to verify their patching status.

The timing is notable. CISA added CVE-2026-35273 to its Known Exploited Vulnerabilities catalog on June 12, ordering federal agencies to patch by June 15—the same deadline ShinyHunters set for MSG.

What MSG Customers Should Do

If you've purchased tickets, merchandise, or services through MSG properties, assume your information may be affected until the company provides clarity:

1. Monitor your accounts for unauthorized activity, particularly any linked to MSG ticket purchases
2. Enable fraud alerts with credit bureaus if you provided financial information
3. Watch for phishing attempts referencing MSG, the Knicks, or the Rangers
4. Change passwords on any accounts where you reused credentials from MSG services

For organizations dealing with data breach incidents, the MSG situation illustrates why incident response plans need to account for extortion scenarios, not just technical remediation.

The Extortion Economy

ShinyHunters represents a broader shift in cybercriminal operations. Rather than deploying ransomware that encrypts systems—which draws immediate attention and law enforcement response—these groups focus purely on data theft and extortion. The approach is quieter, often going undetected until the attackers announce themselves.

This mirrors tactics we've seen from other groups. The Qilin ransomware operation recently hit 15 organizations in 72 hours, and affiliates have been exploiting the Check Point VPN vulnerability to gain initial access to corporate networks.

Why This Matters

A breach affecting 26 million records would rank among the largest sports industry incidents on record. MSG's properties host millions of visitors annually, and their ticketing systems process substantial volumes of payment data.

The company's silence as the deadline passes creates uncertainty for customers and partners. Modern breach notification laws in most states require disclosure within specific timeframes once a company confirms unauthorized access to personal information.

Whether the claimed 26 million figure is accurate remains unverified. Threat actors frequently exaggerate breach scope to pressure victims. But ShinyHunters' track record of following through on threats—and their verified involvement in the PeopleSoft campaign—lends credibility to the claim that they possess at least some MSG data.

The next 48 hours will likely determine whether this becomes a data leak or a negotiated resolution. Either way, MSG customers should prepare accordingly.