US sports and live-entertainment company; owner of the New York Knicks (NBA) and New York Rangers (NHL).
In June 2026, Madison Square Garden was targeted in a ShinyHunters "pay or leak" extortion campaign. Initial access came via a vishing (voice-phishing) call to a low-level employee, yielding Microsoft Entra identity access to MSGs client and talent databases. After MSG missed a June 15 ransom deadline, the group published roughly 45GB of data on June 16. The published set included almost 10 million unique email addresses spanning staff and customers, along with names, phone numbers, physical addresses (close to 5 million street addresses), customer-service records, and about 9,500 dates of birth. The attackers claimed roughly 26 million customer and corporate records overall and said the dump also contained Social Security numbers, credit scores, background-check data, facial-recognition/biometric surveillance records, and internal "threat assessments" profiling celebrities and talent (with representative contacts and "cost of talent" fields). Three-plus class actions have followed.
ObscureIQ assessment: Targeting-grade, not merely identity-theft-grade. Attendance records plus home address establish pattern-of-life for frequent venue-goers; leaked representative/relationship contacts fuel impersonation of principals to their own staff (the same vishing vector that caused the breach); and any leaked facial-recognition templates are a permanent, non-rotatable exposure. Response shifts from "monitor credit" to "harden physical and communications posture."
For ordinary customers this is a large-scale phishing and identity-profiling exposure. For high-profile individuals it is materially more dangerous: the leak is a curated, pre-structured intelligence product (home address, attendance/pattern-of-life, associates and representative contacts, and in some cases a literal risk label), enabling physical predictability, high-credibility impersonation/social engineering, and permanent biometric exposure. Multiple class actions are active in the S.D.N.Y.
Madison Square Garden Sports Corp. (Dolan-controlled) is a US sports company that owns and operates the New York Knicks (NBA) and New York Rangers (NHL), within the wider Madison Square Garden family of venues and entertainment brands.
MSG collects customer identity and contact data, ticketing and customer-service records, VIP/talent profiles, and biometric facial-recognition data from its venue-screening program across Madison Square Garden, Radio City Music Hall, the Beacon and Chicago Theatres, and The Sphere.
Field names are shown in full for clarity and search visibility. Canonical machine keys are emitted only in this page’s structured data.
Attribution and method are based on available breach intelligence. Reported attack vector: Social Engineering.
If you believe your information may be included:
In June 2026, Madison Square Garden was targeted in a ShinyHunters "pay or leak" extortion campaign. Initial access came via a vishing (voice-phishing) call to a low-level employee, yielding Microsoft Entra identity access to MSGs client and talent databases. After MSG missed a June 15 ransom…
Verified fields include Customer Service Records, Date of Birth, Email Address, Full Name, Phone Number, Physical Address.
Change reused passwords, enable MFA, and (if identity or financial data is involved) freeze your credit and monitor your accounts.
Every claim on this page is traceable. This breach draws on:
Enter your email to check whether your data appears in this breach. We’ll send a 6-digit code to confirm it’s your address.
Be the first to know when new breaches are disclosed. Free forever — confirm your email with a 6-digit code.
Executives, public figures, and high-visibility operators can receive tailored exposure intelligence and hardening guidance.
Request Consultation