Madison Square Garden Sports: ShinyHunters Data Extortion

"Madison Square Garden Sports Corp., the parent company of the New York Knicks and New York Rangers, is the target of a public extortion campaign by ShinyHunters, one of the most prolific data theft crews operating…"

Madison Square Garden Sports Corp., the parent company of the New York Knicks and New York Rangers, is the target of a public extortion campaign by ShinyHunters, one of the most prolific data theft crews operating today. The group claims to have stolen more than 26 million customer records and has set a final deadline of June 15, 2026 for the company to negotiate before it begins leaking the data. As of this writing, MSG Sports has neither confirmed nor denied the breach.

What Happened

ShinyHunters surfaced the claim through underground forums and the group's own communication channels, asserting it had exfiltrated over 26 million customer records from MSG's environment. The actor issued a blunt ultimatum in its public statement: "This is a final warning to reach out by 15 June 2026 before we leak along with several annoying digital problems."

The phrasing follows ShinyHunters' established playbook: pure data theft paired with public pressure, rather than file-encrypting ransomware. Security researchers increasingly describe the group as a "ransomware-adjacent" operation that monetizes stolen records through extortion. MSG has not issued a breach notification, leaving customers without official confirmation of scope or exposure.

What Was Taken

According to the group's posts, the stolen dataset allegedly includes:

Customer personally identifiable information (PII)
Internal corporate documents
Records tied to MSG's ticketing and event operations

At 26 million-plus records, the claimed haul is consistent with a large consumer-facing ticketing and events footprint. MSG's properties span Madison Square Garden arena and Radio City Music Hall, along with ownership stakes in multiple professional franchises, meaning a single compromised data store could plausibly aggregate years of ticket buyers, merchandise purchasers, and event attendees. Until MSG provides clarity, the safe assumption for affected customers is that contact details and any financial information tied to purchases may be in the actor's hands.

Why It Matters

This is not an isolated hit. ShinyHunters was recently linked to the Oracle PeopleSoft exploitation campaign that compromised over 100 organizations through CVE-2026-35273, activity Mandiant tracks under the UNC6240 designation. That campaign deliberately targeted HR, payroll, and financial data, signaling a maturing focus on high-value corporate records rather than opportunistic database grabs.

The timing around the MSG deadline is conspicuous. CISA added CVE-2026-35273 to its Known Exploited Vulnerabilities catalog on June 12, directing federal agencies to patch by June 15, the very same date ShinyHunters set for MSG. The convergence underscores how quickly a known enterprise vulnerability can translate into active extortion pressure against downstream victims. ShinyHunters has been a fixture since 2020, with prior breaches affecting Microsoft, Tokopedia, and Wishbone, and its continued evolution makes it a standing threat to any organization holding large consumer datasets.

The Attack Technique

Neither MSG nor outside researchers have disclosed how the attackers obtained initial access, and no vector has been confirmed for this incident. Given ShinyHunters' recent and ongoing exploitation of the PeopleSoft flaw, organizations running Oracle enterprise software should treat the MSG claim as a prompt to verify patch status for CVE-2026-35273 immediately. The group's broader history also includes credential abuse, exposed cloud storage, and exploitation of internet-facing applications, so defenders should not assume a single entry point.

What Organizations Should Do

Patch CVE-2026-35273 across all Oracle PeopleSoft and related enterprise deployments now, and confirm remediation against the CISA KEV guidance.
Audit internet-facing applications and cloud storage for exposed data stores, misconfigurations, and unused administrative access.
Hunt for indicators of exfiltration, including anomalous large outbound transfers and unexpected database queries against customer record tables.
Enforce phishing-resistant multi-factor authentication and rotate credentials for privileged and service accounts.
Prepare incident response and legal notification workflows in advance, so an extortion deadline does not dictate your timeline.
For MSG customers: monitor accounts tied to ticket purchases, enable credit fraud alerts if financial data was provided, watch for phishing referencing the Knicks or Rangers, and change any reused passwords.

Sources: ShinyHunters Claims 26M Records From Madison Square Garden | ProbablyPwned