New Wave of Data Leaks: LastPass and Madison Square Garden Affected
lastpass madison-square-garden biometrics
trending_up Trend: lastpass

New Wave of Data Leaks: LastPass and Madison Square Garden Affected

calendar_month June 25, 2026

Summary

In late June 2026, the cybersecurity landscape experienced another series of significant data leaks, highlighting the persistent vulnerability of personal and corporate data. Key incidents include the exposure of millions of facial recognition records and visitor dossiers from Madison Square Garden (MSG) Entertainment, and a confirmed supply chain data breach at password manager provider LastPass via a third-party platform. These incidents underscore that security risks often arise from secondary platforms and biometric databases, rather than core infrastructures.

What happened?

Two major data leaks and a notable community report emerged in late June 2026:

  • Madison Square Garden Biometric Leak: The hacking group ShinyHunters leaked a 45 GB dataset stolen from MSG Entertainment. Crucially, the leak includes facial recognition logs and biometrics of up to 26 million visitors, alongside a dossier targeting prominent privacy activists who criticized MSG’s surveillance.
  • LastPass Supply Chain Breach: LastPass confirmed that customer relationship data (names, emails, phone numbers, and support tickets) was accessed. The breach occurred via a supply chain attack on Klue, a market intelligence platform. LastPass emphasized that its core password vaults remain fully secure.
  • Reddit Community Disclosure: On the subreddit r/SecurityCareerAdvice, a user disclosed finding a massive database leak containing millions of records, seeking advice on responsible disclosure and bug bounty processes.

Why it matters

These incidents highlight distinct, critical facets of modern data exposure:

  1. The Permanence of Biometrics: Unlike passwords, biometric templates cannot be rotated. The exposure of facial recognition data poses long-term privacy and tracking risks for millions of venue visitors.
  2. Third-Party Risk (Supply Chain): The LastPass incident shows how secure organizations remain vulnerable through third-party integrations. Even when core vaults are untouched, CRM data leak exposes users to highly targeted phishing.
  3. Surveillance of Critics: The compilation of dossiers on privacy advocates by MSG security indicates a troubling use of surveillance tools to monitor public opposition.

Evidence

The incidents have been documented and verified:

  • MSG Dark Web Leak & Lawsuits: ShinyHunters published the 45 GB MSG archive on their blog, leading to a class-action lawsuit (Avalo v. MSG Entertainment) in New York.
  • LastPass Disclosure: LastPass officially confirmed the Klue API token compromise and Salesforce CRM data access, detailing their remediation steps.
  • Community Forum Activity: The Reddit post on r/SecurityCareerAdvice details the discovery of an unsecured database.

Analysis

These breaches indicate a shifting focus towards peripheral data stores and biometric collection. While companies harden their primary databases, secondary marketing platforms (like Klue) and internal surveillance databases (like MSG’s facial recognition logs) remain softer targets. The MSG incident, in particular, raises ethical and legal questions about the bulk collection and retention of biometric data without explicit consent. It demonstrates that any collected data will eventually become a target, and biometrics carry the highest risk due to their unalterable nature.

Practical Takeaways

  • For Individuals: LastPass users should expect a potential rise in targeted phishing attempts and verify any communications claiming to be from the company. MSG visitors should monitor for identity theft signs.
  • For Businesses: Organizations must audit all third-party API permissions and OAuth tokens (such as those used for CRM tools) and apply the principle of least privilege.
  • For Security Teams: Biometric data should not be stored long-term or unencrypted. Surveillance systems must be isolated from main corporate networks.

Open Questions

  • What regulatory actions will be taken against MSG Entertainment under the New York SHIELD Act or CCPA?
  • How will password managers adapt their third-party vendor risk management to prevent CRM exposures?
  • Will the class-action lawsuits force a legal precedent regarding the commercial use of facial recognition?

Sources

  1. Yahoo News: Hackers leak facial recognition records tied to millions of Madison
  2. Mashable: LastPass data breach confirmed: everything we know so far
  3. Reddit: FOUND MILLION OF DATA LEAK. need advice on how to get a bounty