Yes — Madison Square Garden Sports (msgsports.com) was breached. The corporate parent of the New York Knicks and New York Rangers now appears on Have I Been Pwned with 9,796,738 accounts tied to a June 5, 2026 incident attributed to the extortion group ShinyHunters.
Reporting from 404 Media and The National CIO Review describes a 45GB+ public data dump published after MSG declined to pay ransom — including customer correspondence, talent dossiers, and internal risk ratings for celebrities and VIP guests.
We scanned msgsports.com and related MSG public domains to see how their email security posture compares to the scale of this breach.
What Happened
According to published reporting and breach aggregators:
- June 5, 2026 — ShinyHunters gained access to MSG systems. 404 Media reported the entry point as vishing — a voice-phishing call that tricked a low-level employee into granting access to Microsoft Entra (Azure AD).
- June 12, 2026 — The group listed Madison Square Garden Sports on its leak site and demanded ransom.
- June 16, 2026 — After MSG apparently did not pay, ShinyHunters published the stolen archive publicly.
- June 24, 2026 — Have I Been Pwned added the breach as MadisonSquareGardenSports with nearly 9.8 million affected accounts.
The leak landed days after the Knicks’ 2026 NBA Finals win, drawing unusual public attention to a breach that might otherwise have stayed in security circles.

Data at Risk
Journalists who reviewed portions of the leak reported finding:
- Customer emails and correspondence about MSG policies (including facial-recognition topics)
- Talent and relationship records — former Knicks players, coaches, celebrities, and executive family members
- Fields such as addresses, contact details, appearance fees, representative information, and biographical notes
- Internal risk designations labeling individuals “Low Risk” or “High Risk” without published methodology

Separate From the March Oracle Breach
This ShinyHunters incident appears distinct from MSG’s earlier March 2026 disclosure involving Oracle’s E-Business Suite — reporting tied that compromise to the Cl0p ransomware group.
Different threat actors, different systems, and a separate timeline. At the time of reporting, MSG had not issued a detailed public statement addressing the ShinyHunters dump specifically.
Independent Cybersecurity Audit
We ran EmailMeNow Cybersecurity Audits against Madison Square Garden Sports and related public-facing domains on July 4, 2026:
| Domain | Overall | Identity & Spoofing | Transport Security | Website Security | Risk Level |
|---|---|---|---|---|---|
| msgsports.com | 70% | 90% | 15% | 45% | Good |
| msg.com | 44% | 25% | 15% | 45% | Below Average |
| nyknicks.com | 31% | 0% | 15% | 45% | Weak |
Key findings:
- msgsports.com (70%, Good) has strong email identity controls (90%) — DMARC and SPF posture on the corporate sports domain is materially better than customer-facing properties. That helps defend
@msgsports.comfrom direct spoofing, but it does not undo a breach that already exfiltrated millions of records. - Transport Security is uniformly weak (15%) across all three domains — no effective MTA-STS enforcement or TLS-RPT reporting. Mail paths remain vulnerable to downgrade and interception even when identity headers look correct.
- nyknicks.com (31%, Weak) scores 0% on Identity & Spoofing — meaning fan-facing email impersonation is far easier on the Knicks domain than on the corporate parent. After a leak of customer contact data, that gap matters.
- msg.com (44%, Below Average) — the main venue and ticketing domain — sits 25% on Identity & Spoofing, well below the corporate domain and insufficient for an organization handling ticket buyer correspondence at scale.

These public-facing scores do not prove how ShinyHunters entered MSG’s network — reporting points to vishing and SSO compromise, not a missing DMARC record. They do show a split posture: corporate identity controls outpace customer-facing domains, while transport hardening lags everywhere.
Audit links:
Why Email Security Still Matters After a Vishing Breach
The MSG intrusion started with a phone call, not a spoofed email — but email security remains relevant for three reasons:
- Post-breach impersonation. Attackers who already hold customer emails can send convincing fake breach notices, ticket refunds, or credit-monitoring offers from lookalike domains — especially where DMARC enforcement is weak (
msg.com,nyknicks.com). - Repeat extortion pressure. ShinyHunters’ playbook — steal data, demand ransom, publish if unpaid — is the same pattern documented in our April 2026 ShinyHunters roundup and the MSG/Knicks leak report.
- Regulatory and litigation fallout. Class-action lawsuits filed after the leak cite MSG’s history of prior breaches — email and domain security documentation becomes part of a defensible cybersecurity posture.

Priority Actions
If you attended MSG events or exchanged emails with the organization:
- Assume contact information in the leak may be used for targeted phishing — verify any breach notice through official channels, not links in unsolicited email or text.
- Check Have I Been Pwned for exposure under Madison Square Garden Sports.
- Watch for fake ticket refunds, VIP offers, and credit-monitoring scams referencing Knicks or Rangers branding.
For venues, sports franchises, and hospitality operators:
- Treat vishing and help-desk social engineering as primary threats — enforce MFA, callback verification, and privileged-access monitoring on identity providers like Microsoft Entra.
- Align DMARC
p=rejectacross all customer-facing domains, not just corporate properties. - Deploy MTA-STS
mode=enforceand TLS-RPT on every domain that sends transactional or marketing email. - Prepare notification templates before a leak-site countdown expires — see our hospitality & retail breach tracker.
Related Trackers
- MSG / Knicks ShinyHunters leak (June 2026)
- Hospitality & retail tracker
- Have I Been Pwned 2026 roundup
- Ransomware threat landscape
- Breach monitoring guide
Protect ticket buyers, members, and VIP contacts.
Run a free Instant Cybersecurity Audit at audit.emailmenow.com/?industry=hospitality-retail or contact EmailMeNow IT Consulting for DMARC enforcement, MTA-STS deployment, and incident response planning.
Sources: Have I Been Pwned — Madison Square Garden Sports · 404 Media — Hackers Publish Knicks and Madison Square Garden Data Online · 404 Media — How Hackers Broke into Madison Square Garden · The National CIO Review · EmailMeNow audits — msgsports.com · msg.com · nyknicks.com