Wynn Resorts confirms employee data breach after extortion threat
Source: Bleeping Computer
Company response
- Activated incident‑response procedures immediately.
- Launched an investigation with the help of external cybersecurity experts.
- No impact on guest operations or physical properties – all locations remain fully operational.
- Offering complimentary credit‑monitoring and identity‑protection services to affected employees.
“We have learned that an unauthorized third party acquired certain employee data.” – Wynn Resorts statement to BleepingComputer
“Upon discovery, we immediately activated our incident‑response protocols and launched a thorough investigation with the help of external cybersecurity experts.”
“The unauthorized third party has stated that the stolen data has been deleted. We are monitoring and to date have not seen any evidence that the data has been published or otherwise misused.”
Ransom status
Wynn has not disclosed whether a ransom was paid. The attackers claim the stolen data has been deleted—a claim that, in past extortion cases, often follows an agreement with the victim.
Image credit: Wiz – AI Security Board Report Template
Wynn Resorts Leak on ShinyHunters Site
A post on the ShinyHunters data‑leak site claimed the group had stolen “PII (SSNs, etc.) and employee data” from Wynn Resorts and gave the company until 23 Feb 2026 to make contact, or the data would be published.
“Over 800 k records containing PII (SSNs, etc.) and employee data have been compromised.”
“This is a final warning to reach out by 23 Feb 2026 before we leak along with several annoying (digital) problems that’ll come your way. Make the right decision, don’t be the next headline.”
Shortly after the post went live, the Wynn entry was removed—a common sign that negotiations are underway or the claim is being disputed.
- Wynn Resorts has not commented on whether a ransom was paid or how many individuals were affected.
- ShinyHunters told BleepingComputer they had no comment on any payment.
The threat actors previously claimed the data originated from Wynn’s Oracle PeopleSoft environment.
About ShinyHunters
ShinyHunters is a data‑extortion group that:
- Breaches organizations and threatens to publish stolen data unless a ransom is paid.
- Has claimed responsibility for multiple high‑profile thefts and operates across underground forums and extortion portals.
Recent Activity
| Year | Campaign / Target | Notable Tactics |
|---|---|---|
| 2023 | Salesforce data theft | Social engineering, stolen third‑party OAuth tokens |
| 2024 | Panera Bread, Betterment, SoundCloud, Canada Goose, PornHub, Match Group | Voice‑phishing (vishing) of SSO accounts (Google, Microsoft, Okta) |
| 2024 | Microsoft Entra device‑code vishing | Obtaining authentication tokens via device‑code flow |
After compromising credentials and authentication codes, ShinyHunters hijacks SSO accounts to exfiltrate data from SaaS platforms such as:
- Salesforce
- Microsoft 365
- Google Workspace
- SAP
- Slack
- Adobe
- Atlassian
- Zendesk
- Dropbox
- …and many others
“As BleepingComputer first reported, the ShinyHunters group more recently adopted device‑code vishing to obtain Microsoft Entra authentication tokens.”
References
- Widespread campaign to steal Salesforce data
- ShinyHunters claims 15 billion Salesforce records stolen
- Panera Bread breach (51 M accounts)
- Betterment breach (14 M accounts)
- SoundCloud breach (298 M accounts)
- Canada Goose leak (600 k records)
- PornHub extortion
- Match Group breach (Hinge, Tinder, OKCupid, Match)
- SSO vishing attacks on Google, Microsoft, Okta
- Device‑code vishing against Microsoft Entra
The future of IT infrastructure is here
Modern IT infrastructure moves faster than manual workflows can handle.
In this new Tines guide, you’ll learn how your team can:
- Reduce hidden manual delays
- Improve reliability through automated response
- Build and scale intelligent workflows on top of tools you already use.