MSG Sports Breach: 9.8M Email Addresses Exposed (2026)

Overview

In June 2026, Madison Square Garden Sports, the parent company of iconic venues like Madison Square Garden and teams such as the New York Knicks and Rangers, was hit by a “pay or leak” extortion campaign orchestrated by the threat group ShinyHunters. The attackers claimed to have stolen nearly 10 million unique email addresses, along with extensive personal, employment, and customer relationship information. The data was subsequently published on underground forums, impacting both staff and customers. The breach was reported to Have I Been Pwned, allowing affected individuals to check their exposure.

What Was Exposed

The primary exposed data type is Email Addresses, but the full dataset reportedly includes:

• Personal Information: Names, phone numbers, physical addresses.
• Employment Data: Job titles, employer names, work history for staff and contractors.
• Customer Relationship Details: Ticket purchase history, membership status, and account preferences.

While no financial data like credit card numbers or Social Security numbers have been confirmed, the combination of email addresses and personal details significantly elevates the risk of targeted phishing and social engineering attacks.

How the Breach Happened

The breach was part of a known ShinyHunters MO: “pay or leak” extortion, where stolen data is held for ransom, and if unpaid, publicly released. Although the specific attack vector (e.g., SQL injection, credential stuffing) has not been disclosed, the scale and speed of the leak suggest a successful compromise of a backend database or CRM system. The attackers likely exploited a vulnerability in a web application or obtained access through a compromised employee account.

Who’s Actually Affected

While the breach is named after Madison Square Garden Sports, the actual impact extends beyond their immediate customers. The leaked data includes staff members, season ticket holders, and single-event buyers, plus potentially business partners and vendors who interacted with MSG’s systems. Anyone with an email address tied to MSG Sports should consider themselves at risk, even if they haven’t received a direct notification.

What to Do Right Now

1. Check Have I Been Pwned: Visit haveibeenpwned.com and search your email. If your address appears, it was part of this breach.
2. Enable Multi-Factor Authentication (MFA): If your email account or any MSG-related account allows MFA, enable it immediately. Email accounts are a gateway to password resets for other services.
3. Beware of Targeted Phishing: With your email and personal details now public, expect phishing emails impersonating MSG, partners, or even security firms. Never click links or download attachments from unsolicited messages. Check cybersecurity news for emerging phishing campaigns related to this breach.
4. Update Your Passwords: Change passwords for any accounts using the same email as your login, especially if you reuse passwords. Use a password manager for unique, complex passwords.

Security Insight

This breach underscores a recurring pattern in high-profile entertainment and sports breaches: customer relationship data is a lucrative target for extortion, yet organizations often underestimate its sensitivity. The exposure of nearly 10 million emails combined with personal details is a near-perfect phishing dataset, similar to breaches at other major venues like Ticketmaster and Live Nation. The lack of immediate disclosure of the attack vector suggests MSG may still be investigating, but the lesson is clear: companies must segment their data, enforce MFA for all internal systems, and proactively monitor for credential dumps on dark web forums to prevent such leaks.

Further Reading

• All High Breaches
• Recent Data Breaches