A data breach at Madison Square Garden Sports (MSGS) and the New York Knicks has exposed more than 26 million corporate and customer records, including the personal information of players and celebrities.
MSGS learned of the data breach after the notorious hacking gang ShinyHunters, linked to several recent breaches, listed the company on a dark web data leak site and demanded a ransom.
ShinyHunters breaches Madison Square Garden and the Knicks
On June 12, 2026, the prolific English-speaking cybercrime group ShinyHunters claimed responsibility for the Madison Square Garden and Knicks data breach and listed the company on its dark web data leak site. The group claims to have stolen approximately 46 GB of compressed data archive containing over 26 million customer records and internal corporate documents.
However, the hacking group did not initially publish any data samples to prove it had access to the stolen information. Nevertheless, the group often issues credible threats without releasing samples, thereby lending credence to the data breach claims.
Madison Square Garden had until June 15 to pay the ransom, or ShinyHunters would publish the stolen information. The group claims the data breach occurred on June 5, although it was made public only after the team’s championship win, likely to capitalize on heightened media attention.
“It’s very simple. When you pay us, your data is deleted, and you move on with your life. When you don’t pay us, you get posted here, among other things,” the hacking gang threatened.
Meanwhile, MSGS has not confirmed the data breach, and the attack vector exploited remains unknown. Active since 2019, ShinyHunters typically leverages social engineering, phishing, weak or compromised credentials, SIM swapping, Single Sign-On (SSO) abuse, and credential stuffing to breach organizations and exfiltrate information. Over the years, ShinyHunters has developed a reputation for compromising hundreds of organizations by exploiting SaaS platforms, third-party integrations, and cloud-based environments.
The group recently claimed responsibility for breaching American fashion powerhouse Ralph Lauren Corporation and stealing 200GB of data, including personal information.
MSG has also experienced similar data breaches in the past, including the 2025 Clop ransomware attack that exploited Oracle E-Business Suite, leaking 210 GB of internal data. Between 2015 and 2016, hackers also compromised MSG visitors’ payment card data through point-of-sale terminals.
“While there will be plenty of commentary on the celebrity names, the most important aspect of the Madison Square Garden breach is the richness of the identity data,” said Brian Bell, CEO of FusionAuth. “The reported inclusion of a customer complaint about MSG’s use of facial recognition is exactly why identity solutions and their data need to be treated as critical infrastructure. Businesses and their customers are only now realizing that protecting identity is about far more than logins and passwords.”
ShinyHunters leaks data from Madison Square Garden and the Knicks
On June 16, 2026, ShinyHunters published data stolen from Madison Square Garden Sports and the Knicks for everybody to download and exploit.
The data breach leaked the personal information of various Knicks’ talents and coaches, and in some cases, their representatives, including addresses, contact information, and confidential notes such as “claim to fame” and “cost of talent.” The data breach also potentially leaked biometric facial recognition and background checks information. That information is now subject to a proposed class action lawsuit. However, there is no evidence that the data breach exposed confidential financial details or account information, such as passwords.
“Anyone who has purchased tickets, contacted MSG customer support or attended events at MSG venues in recent years should assume their contact information may be among the exposed data,” warned Shane Barney, Chief Information Security Officer at Keeper Security. “That means being alert to phishing emails and text messages that appear to reference your MSG account or recent purchases, particularly any that ask you to click a link, verify payment information or reset a password.”
According to the leaked files, comedian Ben Stiller was categorized as “Low Risk,” while rapper A Boogie wit da Hoodie was labeled “High Risk.” Teams and companies use this confidential information to make signing, partnership, and advertising decisions. Once leaked, the internal assessments could draw attention to the company’s talent management practices or undermine the victims’ reputation.
“A breach like this exposes decisions an organization made about people – who got flagged, who got sorted into which category – that most of them never knew existed,” Bell added. “That’s a different kind of harm than a leaked credential. A password can be reset; a customer’s standing with a brand, once it’s public that they were quietly labeled, cannot. The people in the data carry the exposure, and the organization wears the reputational cost of every private decision it’s now shown to have made.”
Subsequently, the leaked information could increase pressure on MSGS, the Knicks, and other affected NBA and NHL teams to comply with the ransom demands. The victims also face an increased risk of phishing attacks following the exposure of their contact information.
“The reported Madison Square Garden incident should be viewed in the context of a much wider pattern of cyber risk across professional sport,” said Nathaniel Jones, Vice President, Security & AI Strategy and Field CISO at Darktrace. “Our recent research found that 84% of professional sports organizations experienced a cyber incident in the past 12 months, and 57% were hit more than once. That tells us this is not an isolated issue for a single team, venue, or league.”
