Madison Square Garden Sports, the company behind the New York Knicks and New York Rangers, was breached on June 5, 2026 during a ShinyHunters extortion campaign, with leaksear.ch indexing 9,796,326 records from the dataset (leaksear.ch metadata) (www.msgsports.com). The indexed records include customer and staff CRM or support data such as names, email addresses, phone numbers, physical addresses, dates of birth, usernames, and customer-service details (leaksear.ch metadata).
What happened
Public breach listings and reporting describe this as a ShinyHunters pay-or-leak extortion case. Have I Been Pwned says MSG Sports was targeted in June 2026 and that the group later published alleged data, while 404 Media reported on June 16, 2026 that hackers had published stolen Madison Square Garden data online and that a reviewed sample included customer emails and Knicks-related files (haveibeenpwned.com, www.404media.co).
The exact intrusion path should be treated as reported, not as an official forensic finding. 404 Media later reported that the hackers said they called a low-level employee and tricked them into allowing access, a voice-phishing scenario that 404 Media connected to its review of the stolen data (www.404media.co).
What data was exposed
The leaksear.ch indexing metadata lists searchable identity fields including name, email address, phone number, physical address, country, date of birth, and username (leaksear.ch metadata). The same metadata also shows stored CRM and support context such as account and organization names, job titles, age, paid amounts, event names, lead source, owner, created and last-modified dates, record type, customer service case status and subject, and source file or table metadata (leaksear.ch metadata).
Have I Been Pwned lists the compromised categories as customer service records, email addresses, names, phone numbers, and physical addresses (haveibeenpwned.com). Password, payment card, and government ID fields are not listed in the leaksear.ch indexing metadata, but the exposed contact and service-history data is still sensitive when combined with event and CRM context (leaksear.ch metadata).
Why this matters
This leak gives attackers practical phishing material: names, emails, phone numbers, addresses, dates of birth, and support history can make fake ticketing, billing, refund, account-recovery, or VIP-support messages more convincing (leaksear.ch metadata). Security teams should watch for impersonation of MSG Sports, the Knicks, the Rangers, ticketing support, and customer service workflows. Individuals who interacted with MSG Sports, Knicks, Rangers, ticketing, or support channels should check whether their email, phone, name, username, address, or date of birth appears in this leak.
Check your exposure
Vetted researchers and incident-response teams can request access or sign in if they already have access to check this dataset. Searchable pivots for this leak include address, country, date of birth, email, name, phone, and username.