ShinyHunters, a cybercriminal crew known for enterprise extortion campaigns, has now put Wynn Resorts in its crosshairs. The group listed the company on its leak blog on Friday, Feb. 20, 2026, claiming to hold roughly 800,000 employee records and setting a starting price of 22.34 bitcoin, about $1.5 million. According to the listing, Wynn has until Feb. 23 to “reach out” or the gang says it will publish the files. Samples reportedly include full names, emails, phone numbers, job titles, salaries, start dates, birthdays and Social Security numbers.
As reported by The Register, the attackers named Wynn on their blog and posted the bitcoin demand and deadline. The outlet said samples it reviewed contained detailed employee and payroll fields, and that ShinyHunters claimed it first gained access in September 2025 by exploiting an Oracle PeopleSoft vulnerability using an employee’s credentials.
Cybernews noted that the group’s leak site was offline and that ShinyHunters had not published public proof of the alleged haul, making independent verification difficult. Cybernews also pointed out that the crew has a history of recycling older datasets and overstating the size of alleged thefts, a pattern that has complicated coverage of similar claims.
How the attackers say they accessed Wynn systems
ShinyHunters told reporters its foothold dated back to September 2025 and involved an Oracle PeopleSoft vulnerability combined with an employee credential, although the group declined to say whether the login was obtained through social engineering or payment. The Register also reported that the crew has previously used Telegram to solicit insider access in other campaigns.
Why Las Vegas resorts are frequent targets
Large casino operators run sprawling IT environments and sit on massive troves of employee, guest and payment data, which makes them appealing to extortion crews looking for sellable personal and operational information. Coverage of the 2023 intrusions at MGM and Caesars showed attackers using help‑desk impersonation and identity‑service access to move inside networks, tactics also seen in recent ShinyHunters campaigns, as documented by BleepingComputer.
Legal and regulatory fallout
If ShinyHunters’ claim turns out to be accurate, Wynn would be subject to state and federal notice obligations and could face regulatory scrutiny and litigation tied to exposed personal data. All 50 U.S. states require some form of breach notification, according to NCSL, and Wynn itself warned in its most recent 10‑K about the business risks posed by cybersecurity incidents. Wynn's 10‑K states that data loss or system disruption could harm the company’s operations and reputation.
What employees and guests should do
Anyone who works for or has recently stayed at a Wynn property should keep an eye out for an official notification and closely review payroll and account statements for unusual activity. The National Association of Attorneys General notes that identifiers such as Social Security numbers, driver’s licenses and financial account numbers are treated as sensitive PII under breach laws, which raises the risk of identity theft if those fields are exposed. The National Association of Attorneys General recommends steps such as credit monitoring and fraud alerts where appropriate.
What to watch next
For now, everything hinges on the group’s Feb. 23 deadline. If ShinyHunters posts files or additional samples, Wynn and investigators will have to assess the scope of any breach and notify affected people. Cybernews noted that the leak site was offline at the time of reporting, which could limit early confirmation, but the crew has previously published data when negotiations fail. This story will be updated as Wynn, law enforcement and security researchers respond.
