The New York Knicks clinched their first NBA championship in 53 years on June 5, 2026. That same day, ShinyHunters breached the organization that owns them. When Madison Square Garden Sports Corp. (MSG Sports) missed a June 15 ransom deadline, the threat group did what it always does: it published everything. A 45 GB dump landed on ShinyHunters' dark web blog, exposing more than 26 million customer and corporate records at the precise moment MSG was still celebrating the city’s biggest sports moment in years.
The timing was not accidental. ShinyHunters timed the data release to coincide with the Knicks' Finals run to ensure maximum public attention—a calculated move from a group that has turned data extortion into something resembling a professional operation.
Journalist Joseph Cox of 404 Media reviewed a sample of the stolen files and confirmed their legitimacy. The dump includes ticket purchaser emails, customer support correspondence, and internal "Talent" files—internal dossiers on high-profile individuals that include home addresses, appearance fees, direct contact information for representatives, and internal risk-level ratings. Actor and comedian Ben Stiller, for example, was tagged "Low Risk," and rapper A Boogie wit da Hoodie was tagged "High Risk." No documented criteria exist for either classification.
That last detail carries a particular irony. MSG has deployed facial recognition technology at its venues to identify and bar individuals it deems unwanted—including, as previously reported by WIRED, attorneys from law firms in active litigation against the company. The organization that surveils its own guests now has its own surveillance files publicly downloadable on the dark web.
MSG Sports has not issued a public statement addressing the breach as of this publication.
ShinyHunters is not a new name. Active since 2019, the group built its reputation on the now-seized RaidForums, and has since evolved into one of the most prolific data theft operations ever documented. The FBI issued a formal public service announcement about the group in May 2026 following the Canvas/Instructure breach, describing them as a cybercriminal group "specializing in large-scale data breaches and extortion" that targets "major companies across tech, finance, and retail." The agency also warned that ShinyHunters actors have used harassment tactics against victims and their family members—including swatting.
The scale of their 2026 campaign is hard to overstate. The group has claimed responsibility for breaching more than 40 organizations this year alone, with confirmed victims spanning nearly every sector. The roster includes Canvas/Instructure (275 million students across 9,000 institutions), ADT (5.5 million customers), Carnival Cruise (6 million passengers), Rockstar Games (nearly 80 million records), the European Commission (350 GB of internal data), and telecom giant Telus (a claimed 1 petabyte of data). Just days before the MSG dump, ShinyHunters also listed Kodak on their leak site with an identical "final warning" deadline—and Kodak confirmed the breach.
Security firm Mandiant, now part of Google, characterized ShinyHunters in January 2026 as "multiple threat clusters" operating under a single brand—a structure that has made the group resilient to law enforcement. Despite multiple arrests of suspected members, including a June 2025 sweep across French regions, the campaigns have not slowed. Mandiant's analysts link ShinyHunters to The Com, an international cybercrime network that also includes Scattered Spider and remnants of Lapsus$.
Three attack playbooks have defined the 2026 campaign: voice phishing to harvest SSO credentials; exploitation of Salesforce Experience Cloud misconfigurations that exposed customer data via anonymous API access; and OAuth supply chain attacks targeting third-party integrations with excessive access scopes. The PeopleSoft campaign added a fourth vector: exploitation of a zero-day (CVE-2026-35273) chained with known vulnerabilities to breach more than 300 instances at more than 100 organizations, including universities, hospitals, and government agencies.
MSG Sports is hardly the only sports organization to have landed in ShinyHunters' crosshairs—or any threat actor's. Research from Darktrace, a global AI cybersecurity vendor that commissioned the study, found that 84% of professional sports organizations experienced a cyber incident in the past 12 months, with 57% hit more than once. The same research found that sports organizations receive nearly 20% more phishing emails than organizations in other sectors, with more than one in five of those phishing emails targeting VIPs and executives.
Nathaniel Jones, VP of Security and AI Strategy and Field CISO at Darktrace, framed the broader pattern this way: "Sports organizations are attractive targets because they combine valuable data, high-profile individuals, complex vendor relationships, and digital systems that are expected to work under intense public pressure. A breach does not need to disrupt a game to cause damage. Exposed data, compromised executive accounts, or trusted communications used for fraud can quickly create financial and reputational consequences."
That last point is worth holding onto. The MSG breach did not take down a single game. The Knicks won the championship on schedule. The damage—26 million records on the open dark web, internal VIP dossiers downloadable by anyone—arrived entirely off the court.
A negligence claim was filed in the U.S. District Court for the Southern District of New York within days of the data publication. The lawsuit centers on the leaked threat assessment and biometric data that MSG collects from arena visitors—including internal correspondence about its facial recognition program—and argues that the organization failed to adequately protect information it collected in the absence of robust consent frameworks.
The ShinyHunters breach is MSG's second major incident in under a year and at least its third significant breach in roughly a decade. In August 2025, the Cl0p ransomware gang exploited an Oracle E-Business Suite vulnerability through a third-party vendor, exposing names and Social Security numbers for at least 38,393 individuals and leaking more than 210 GB of archived business records. Before that, a 2015–2016 point-of-sale malware attack harvested payment card data from venue visitors over nearly a full year. Two separate breach groups. Three separate incidents. One organization.
Matthieu Chan Tsin, SVP of Resiliency Services at Cowbell, noted that refusing to pay ShinyHunters was "a valiant stand," while also acknowledging that MSG "may now be liable to incur a different type of damage." That tradeoff—between funding a criminal enterprise and triggering a public data exposure—is precisely the leverage ShinyHunters has refined across 40+ victims this year.
Shane Barney, CISO at Keeper Security, offered the sharpest practitioner framing of what the MSG breach actually reveals: "ShinyHunters has demonstrated repeatedly that the most valuable data in an organization is rarely the data an organization thinks to protect most carefully. Ticketing systems, customer support platforms, and internal operational databases are not typically where security investment is concentrated, but they are where years of customer correspondence, internal profiles, and sensitive business information quietly accumulate. That is the gap this group consistently finds and exploits."
The follow-on question Barney poses is one worth sitting with: not how ShinyHunters got in, but what they could reach once inside. Operational systems treated as administrative infrastructure—rather than as high-value targets—often lack the access controls applied to more obviously sensitive environments. When access is not scoped to least privilege, monitored for anomalous behavior, or time-limited, the blast radius of any compromise expands well beyond what the initial foothold would suggest.
For security teams watching the MSG situation unfold, Barney identified the most pressing diagnostic question: "Whether they would have detected a similar exfiltration before the attacker announced it publicly. If the answer is uncertain, that is the gap worth addressing first."
Centralizing access governance, enforcing least privilege across every system that touches customer or employee data, and building in continuous monitoring are the controls that close that gap. They are also the controls that ShinyHunters' 2026 campaign has most consistently found missing.
Anyone who has purchased tickets to MSG events, contacted MSG customer support, or attended events at MSG venues should assume their contact information may be in the exposed data. That means staying alert to phishing emails or texts referencing MSG accounts or recent purchases—particularly those that request a link to be clicked, payment details to be verified, or a password to be reset. Using unique credentials for the MSG account (a password manager helps), enabling multi-factor authentication where available, and treating any communication that references unexpected personal details with suspicion are the baseline steps.
Security teams should also note that ShinyHunters has a documented history of follow-on harassment campaigns against individuals named in leaked files. The FBI's May 2026 PSA specifically warned that the group may contact breach victims directly—including via threatening calls and texts—and that those contacts should not be engaged or paid.