Back to news
Cybersecurity Alert
July 4, 2026 by EmailMeNow IT Consulting

Was Madison Square Garden Sports Breached? We Scanned Their Domain Security

Madison Square Garden Sports (msgsports.com) appears on Have I Been Pwned with 9.8M accounts after a ShinyHunters leak. Independent audits score msgsports.com at 70% with strong identity but 15% transport security — while msg.com and nyknicks.com score far lower.

Source: Have I Been Pwned · 404 Media

NewsData BreachShinyHuntersExtortionEmail SecurityCybersecurity
Madison Square Garden Sports employee targeted by vishing attack leading to data breach

Yes — Madison Square Garden Sports (msgsports.com) was breached. The corporate parent of the New York Knicks and New York Rangers now appears on Have I Been Pwned with 9,796,738 accounts tied to a June 5, 2026 incident attributed to the extortion group ShinyHunters.

Reporting from 404 Media and The National CIO Review describes a 45GB+ public data dump published after MSG declined to pay ransom — including customer correspondence, talent dossiers, and internal risk ratings for celebrities and VIP guests.

We scanned msgsports.com and related MSG public domains to see how their email security posture compares to the scale of this breach.

What Happened

According to published reporting and breach aggregators:

  • June 5, 2026 — ShinyHunters gained access to MSG systems. 404 Media reported the entry point as vishing — a voice-phishing call that tricked a low-level employee into granting access to Microsoft Entra (Azure AD).
  • June 12, 2026 — The group listed Madison Square Garden Sports on its leak site and demanded ransom.
  • June 16, 2026 — After MSG apparently did not pay, ShinyHunters published the stolen archive publicly.
  • June 24, 2026 — Have I Been Pwned added the breach as MadisonSquareGardenSports with nearly 9.8 million affected accounts.

The leak landed days after the Knicks’ 2026 NBA Finals win, drawing unusual public attention to a breach that might otherwise have stayed in security circles.

Illustration: vishing attack on MSG employee granting ShinyHunters access to Microsoft Entra

Data at Risk

Journalists who reviewed portions of the leak reported finding:

  • Customer emails and correspondence about MSG policies (including facial-recognition topics)
  • Talent and relationship records — former Knicks players, coaches, celebrities, and executive family members
  • Fields such as addresses, contact details, appearance fees, representative information, and biographical notes
  • Internal risk designations labeling individuals “Low Risk” or “High Risk” without published methodology

Illustration: nearly 9.8M HIBP accounts and post-breach impersonation risks

Separate From the March Oracle Breach

This ShinyHunters incident appears distinct from MSG’s earlier March 2026 disclosure involving Oracle’s E-Business Suite — reporting tied that compromise to the Cl0p ransomware group.

Different threat actors, different systems, and a separate timeline. At the time of reporting, MSG had not issued a detailed public statement addressing the ShinyHunters dump specifically.

Independent Cybersecurity Audit

We ran EmailMeNow Cybersecurity Audits against Madison Square Garden Sports and related public-facing domains on July 4, 2026:

DomainOverallIdentity & SpoofingTransport SecurityWebsite SecurityRisk Level
msgsports.com70%90%15%45%Good
msg.com44%25%15%45%Below Average
nyknicks.com31%0%15%45%Weak

Key findings:

  • msgsports.com (70%, Good) has strong email identity controls (90%) — DMARC and SPF posture on the corporate sports domain is materially better than customer-facing properties. That helps defend @msgsports.com from direct spoofing, but it does not undo a breach that already exfiltrated millions of records.
  • Transport Security is uniformly weak (15%) across all three domains — no effective MTA-STS enforcement or TLS-RPT reporting. Mail paths remain vulnerable to downgrade and interception even when identity headers look correct.
  • nyknicks.com (31%, Weak) scores 0% on Identity & Spoofing — meaning fan-facing email impersonation is far easier on the Knicks domain than on the corporate parent. After a leak of customer contact data, that gap matters.
  • msg.com (44%, Below Average) — the main venue and ticketing domain — sits 25% on Identity & Spoofing, well below the corporate domain and insufficient for an organization handling ticket buyer correspondence at scale.

Illustration: split email security posture across msgsports.com, msg.com, and nyknicks.com

These public-facing scores do not prove how ShinyHunters entered MSG’s network — reporting points to vishing and SSO compromise, not a missing DMARC record. They do show a split posture: corporate identity controls outpace customer-facing domains, while transport hardening lags everywhere.

Audit links:

Why Email Security Still Matters After a Vishing Breach

The MSG intrusion started with a phone call, not a spoofed email — but email security remains relevant for three reasons:

  1. Post-breach impersonation. Attackers who already hold customer emails can send convincing fake breach notices, ticket refunds, or credit-monitoring offers from lookalike domains — especially where DMARC enforcement is weak (msg.com, nyknicks.com).
  2. Repeat extortion pressure. ShinyHunters’ playbook — steal data, demand ransom, publish if unpaid — is the same pattern documented in our April 2026 ShinyHunters roundup and the MSG/Knicks leak report.
  3. Regulatory and litigation fallout. Class-action lawsuits filed after the leak cite MSG’s history of prior breaches — email and domain security documentation becomes part of a defensible cybersecurity posture.

Sports fan receiving fake breach notification and ticket refund phishing message on smartphone

Priority Actions

If you attended MSG events or exchanged emails with the organization:

  • Assume contact information in the leak may be used for targeted phishing — verify any breach notice through official channels, not links in unsolicited email or text.
  • Check Have I Been Pwned for exposure under Madison Square Garden Sports.
  • Watch for fake ticket refunds, VIP offers, and credit-monitoring scams referencing Knicks or Rangers branding.

For venues, sports franchises, and hospitality operators:

  • Treat vishing and help-desk social engineering as primary threats — enforce MFA, callback verification, and privileged-access monitoring on identity providers like Microsoft Entra.
  • Align DMARC p=reject across all customer-facing domains, not just corporate properties.
  • Deploy MTA-STS mode=enforce and TLS-RPT on every domain that sends transactional or marketing email.
  • Prepare notification templates before a leak-site countdown expires — see our hospitality & retail breach tracker.

Protect ticket buyers, members, and VIP contacts.

Run a free Instant Cybersecurity Audit at audit.emailmenow.com/?industry=hospitality-retail or contact EmailMeNow IT Consulting for DMARC enforcement, MTA-STS deployment, and incident response planning.


Sources: Have I Been Pwned — Madison Square Garden Sports · 404 Media — Hackers Publish Knicks and Madison Square Garden Data Online · 404 Media — How Hackers Broke into Madison Square Garden · The National CIO Review · EmailMeNow audits — msgsports.com · msg.com · nyknicks.com