HomeIntelligenceBrief
BREACH BRIEF🟠 High Breach

Madison Square Garden Sports Exposes Nearly 10 Million Email & Personal Records in ShinyHunters Extortion Campaign

In June 2026 Madison Square Garden Sports suffered a ShinyHunters extortion breach that released almost 10 million email addresses, names, phone numbers and customer‑service records. The incident highlights gaps in SOC 2 access‑control practices and the need for continuous audit evidence of password policies and MFA enforcement.

LiveThreat™ Intelligence · 📅 June 24, 2026· 📰 haveibeenpwned.com
🟠
Severity
High
BR
Type
Breach
🎯
Confidence
High
🏢
Affected
2 sector(s)
Actions
4 recommended
📰
Source
haveibeenpwned.com

Madison Square Garden Sports Exposes Nearly 10 Million Email & Personal Records in ShinyHunters Extortion Campaign

What Happened – In June 2026 the sports‑and‑entertainment company Madison Square Garden Sports became the target of a “pay‑or‑leak” extortion campaign run by the ShinyHunters group. The attackers published a data set containing almost 10 million unique email addresses, along with names, phone numbers, physical addresses, and customer‑service records for both staff and customers.

Why It Matters for Compliance & Audit Readiness

  • The breach illustrates a breakdown in SOC 2 Access Control (CC6.1) – inadequate password hygiene and missing multi‑factor authentication allowed credentials to be harvested at scale.
  • Continuous‑compliance programs must capture evidence that access‑control policies are enforced, that privileged‑access reviews are performed, and that breach‑response evidence (e.g., password‑reset logs) is retained for audit.
  • SOC 2 readiness also requires documented security‑awareness training; the incident underscores the need for regular phishing and credential‑theft simulations.

Who Is Affected – Sports & entertainment organizations, their employees, ticket‑holders, and any customers whose contact information was stored in MSG Sports’ CRM or support platforms.

Recommended Actions

  • Map the incident to SOC 2 CC6.1 (Access Control) and CC6.2 (Logical Access) controls; collect password‑reset logs, MFA enablement reports, and user‑access reviews as audit evidence.
  • Enforce organization‑wide strong‑password policies and mandatory MFA for all privileged and standard accounts.
  • Conduct a post‑breach credential‑reuse audit across all integrated services and remediate any reused passwords.
  • Update security‑awareness training to include simulated credential‑theft scenarios and verify completion.

Source: Have I Been Pwned – Madison Square Garden Sports breach

Technical Notes – The breach appears to stem from stolen credentials rather than a software vulnerability; no CVE is associated. Attackers leveraged the data in a “pay‑or‑leak” extortion model, publishing personal and employment details to pressure the organization.

📰 Original Source
https://haveibeenpwned.com/Breach/MadisonSquareGardenSports

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

From the Verisq platform · SOC 2 Readiness

Could you prove your access controls held up here?

Credential and access failures map directly to SOC 2 access-control criteria. The Verisq AI Trust Operations platform shows where your evidence is thin before an auditor — or an attacker — finds out.

Explore the Verisq AI Trust Operations platform →