ShinyHunters leaks Madison Square Garden Sports data online
The ShinyHunters extortion gang published data it claims to have stolen from Madison Square Garden Sports — owner of the New York Knicks and Rangers — after the company missed a ransom deadline.
- Victim
- Madison Square Garden Sports
On 16 June 2026, the prolific extortion crew ShinyHunters published data it claims to have stolen from Madison Square Garden Sports — the holding company that owns the New York Knicks and the New York Rangers — after the firm missed the group's ransom deadline. The dump appeared on ShinyHunters' leak infrastructure several days after the group first named the company.
What happened
ShinyHunters listed Madison Square Garden Sports around 12 June 2026 and set a deadline of 15 June for payment, threatening to release the material if its demands were not met. When the deadline passed, the group began publishing the data on 16 June. The record counts are the attacker's own claims and have not been confirmed by the company: ShinyHunters publicly asserted it held more than 26 million records, while its leak-site listing referenced over 2.2 million records of customer personally identifiable information and internal corporate data — figures that conflict and remain unverified.
Journalists who reviewed the published files reported that the data extends well beyond ordinary customer records, including internal corporate documents and guest profiles and threat-assessment material that MSG venues are known to compile, alongside internal correspondence relating to the company's controversial use of facial-recognition technology. Madison Square Garden Sports has not publicly confirmed the breach or the scope claimed by the attackers.
Why it matters
The listing fits ShinyHunters' 2025–2026 playbook: a recognisable brand, an unverified seven- or eight-figure record claim, and a short public countdown designed to pressure a quick payment rather than encrypt files. The group has tied much of its recent activity to a sweeping campaign against corporate cloud and CRM instances, name-and-shaming victim after victim. For Madison Square Garden Sports, the exposure is immediate and reputational — and the involvement of guest threat-assessment and biometric-adjacent material raises the privacy stakes well above a typical marketing-data leak. A proposed class-action lawsuit was filed in the weeks that followed.
Timeline
ShinyHunters publicly names Madison Square Garden Sports on its leak infrastructure, claiming to hold tens of millions of records and threatening to publish unless paid.
The extortion deadline set by ShinyHunters passes without payment.
ShinyHunters publishes the allegedly stolen data online; journalists reviewing the dump report it includes guest profiles and threat-assessment material tied to the Knicks and Rangers.
A proposed class-action lawsuit is filed over the breach.
Sources
- 404media.cohttps://www.404media.co/hackers-publish-knicks-and-madison-square-garden-data-online/
- bankinfosecurity.comhttps://www.bankinfosecurity.com/breach-roundup-shinyhunters-leaks-26m-msg-records-a-32019
- cybernews.comhttps://cybernews.com/security/shinyhunters-knicks-owner-breach-claim/
- news.bloomberglaw.comhttps://news.bloomberglaw.com/privacy-and-data-security/madison-square-garden-sued-after-shinyhunters-data-leak-news
- frontofficesports.comhttps://frontofficesports.com/madison-square-garden-hit-with-class-action-after-apparent-data-breach/