Madison Square Garden Sports (MSGS), the company behind the NBA’s New York Knicks basketball club and the NHL's New York Rangers, has been claimed by the notorious ShinyHunters hacker collective. Millions of records with customer details are exposed, the attackers claim.

Not a whole day has passed since a star-studded Madison Square Garden witnessed an incredible New York Knicks comeback against the San Antonio Spurs in the 4th NBA finals game, and one of the most notorious cybergangs claimed the club's owner as a victim.

The attackers, best known for recently defacing hundreds of American schools during finals week amidst the Canvas data breach, posted MSGS on the dark web blog they use to showcase their latest victims.

According to the attackers, they managed to siphon over 26 million records containing personally identifiable information (PII) of MSGS customers and internal corporate documents.

Since the company, among other things, owns prominent American sports clubs, the information could reveal personal details of basketball and hockey players and their contracts, as well as other highly guarded records.

“This is a final warning to reach out by June 15th, 2026, before we leak along with several annoying (digital) problems that’ll come your way,” the attackers threatened in the dark web post.

Cybercrime gangs often threaten victims before leaking data to pressure them into paying a ransom. However, security experts note that meeting attacker demands invites other cybercriminals and does not guarantee that malicious actors will delete stolen data.

Despite warnings, companies sometimes choose to pay the ransom, potentially emboldening attackers to continue their lucrative line of work. For example, Canvas admitted to reaching an “agreement with the unauthorized actor involved” in the attack. Unconfirmed reports quote payment of $10 million.

Meanwhile, ShinyHunters’ MSGS post does not include a data sample, so at the time of writing, it is impossible to verify the claims. However, ShinyHunters have been among the most prolific gangs in recent months, and their claims are typically valid.

Our researchers believe attackers could exploit stolen corporate data to target employees via advanced social engineering attacks. Moreover, malicious actors could use stolen information to map how MSGS operates, mapping possible entry points.

“Meanwhile, customer data here could mean different things. Attackers may be referring to ticket buyers, or people from 3rd parties such as advertisers, sponsors, but so far the scope is not clear,” researchers epxlained.

We have reached out to MSGS for comment and will update this article once we receive a reply.

MSGS generates over $1 billion in annual revenue and is the holding company for New York's largest basketball and ice hockey teams. The New York Knicks currently compete in the National Basketball Association (NBA) finals, while the National Hockey League’s (NHL) Rangers are preparing for the next season.

MSGS-owned teams’ home arena is New York City’s legendary Madison Square Garden indoor arena, owned by the Madison Square Garden Entertainment Corporation (MSG Entertainment).

Meanwhile, ShinyHunters has built a reputation for high-impact data theft and extortion operations. Earlier this week, the gang claimed American fashion behemoth Ralph Lauren Corporation as its latest victim.

The group has been active since 2019. Security researchers have linked the group to a broader supergroup alongside Scattered Spider and LAPSUS$, all of which share overlapping members and roots in the youth cybercrime subculture known as "The Com."

Arrests across Canada, France, Turkey, and Finland seem not to have deterred gang members from targeting established brands.

---

Unlock more exclusive Cybernews content on YouTube.