Internal MSG Sports files quietly tagged Ben Stiller as “Low Risk” and rapper A Boogie wit da Hoodie as “High Risk” — with no documented criteria for either label. That database was supposed to stay backstage. The cybercrime group ShinyHunters set a June 15, 2026 ransom deadline for MSG Sports, according to Cybernews. MSG reportedly didn’t pay. ShinyHunters published. A 45 GB dump landed on their dark-web blog right as the Knicks were riding an NBA Finals run, ensuring maximum eyeballs on the wreckage. This is MSG’s second major breach in under a year — part of a broader wave of incidents where hackers steal sensitive data to extort organizations.
What Got Stolen
The confirmed sample contains customer correspondence, structured VIP profiles, and internal risk ratings — with several data categories still unverified.
ShinyHunters claims over 26 million customer and corporate records from MSG Sports systems, with the full dump nearing 45 GB. A sample reviewed directly by 404 Media contained customer emails sent to MSG — likely pulled from ticketing or support systems — along with some MSG responses. The same sample included internal “Talent” files listing high-profile individuals with fields such as:
- address
- claim to fame
- cost of talent
- risk level
- contact information
Stiller was listed via his production company as “Low Risk”; A Boogie wit da Hoodie appeared as the sole “High Risk” entry in the reviewed portion, criteria undocumented. One customer email in the sample involved a man worried about being flagged by MSG’s facial recognition system.
Whether payment card data or Social Security numbers exist in this specific dump remains unconfirmed — and that distinction matters. The earlier Oracle breach definitively exposed names and SSNs of roughly 131,070 individuals, per SecurityWeek.
Two Break-Ins, One Building
MSG’s ShinyHunters incident is a separate compromise from the Cl0p ransomware attack confirmed in 2025 — different group, different systems, different data.
MSG was already confirmed as a Cl0p ransomware victim after attackers exploited a third-party vendor’s Oracle E-Business Suite in August 2025, ultimately leaking 210-plus GB of archived business records. ShinyHunters is a different group operating on different infrastructure. Two separate break-ins at the same building. ShinyHunters’ claims are “typically valid,” according to Cybernews, which noted the group rarely fabricates breaches — and the 404 Media sample review provides strong corroboration that this leak is genuine.
The surveillance irony cuts deep. MSG has deployed surveillance app-level facial recognition at its venues to identify and bar certain visitors — including lawyers from firms in litigation against the company, as previously reported by WIRED. Whether biometric templates or surveillance logs appear in the ShinyHunters dump remains unconfirmed. But the watchers got watched.
What This Means for Anyone in the Data
Three distinct groups face real, compounding exposure depending on which breach — or both — touched their information.
- Ticketing customers — exposed correspondence creates immediate phishing and harassment risk, particularly tied to high-visibility Knicks events.
- Employees and vendors caught in the Oracle breach already face compounding identity theft and tax fraud exposure from the confirmed SSN leak.
- VIPs listed in talent files now have home addresses, appearance fees, and internal risk ratings circulating publicly — creating both physical security concerns and fertile ground for targeted social engineering against them and their representatives.
MSG has not issued a public statement on the ShinyHunters breach as of the latest reporting. Class-action investigations tied to the Oracle incident are already underway — part of a long pattern of tech scandals that have exposed millions of people’s data. Whether credit monitoring adequately addresses 26 million records sitting on a dark-web leak blog remains very much an open question.
