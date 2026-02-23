ShinyHunters claim breach of Wynn Resorts, leaking 800,000 employee records

Group demands 23.34 Bitcoin (~$1.55m) to delete stolen data

Access allegedly gained via Oracle PeopleSoft vulnerability using employee credentials

The infamous ransomware operators ShinyHunters seem to have hit yet another Las Vegas hotel and casino giant, as after Caesars Entertainment and MGM Resorts (which were struck in September 2023), the group has now apparently Wynn Resorts.

The group recently added Wynn to its data leak website, saying it had obtained more than 800,000 records, and shared a small sample to prove the authenticity of its claims - giving Wynn a deadline of February 23 2026 to either pay up, or see the data leaked onto the dark web.

The hackers is asking for 23.34 Bitcoin, equaling roughly $1.55 million, in exchange for deleting the data, which it says is the “starting price”, suggesting that it is ready to negotiate a lesser sum.

In the meantime, the sample was analyzed by researchers at The Register, and allegedly it contains Wynn Resorts’ employees’ full names, emails, phone numbers, positions, salaries, start dates, birth dates, and “other personal information”.

This is more than enough to craft highly convincing phishing emails through which attackers can steal login credentials, conduct wire fraud, and more.

The hotel has not yet issued a statement about the claims, nor has it responded to media inquiries. We don’t know exactly how the incident took place - it was either via stolen credentials, or through a vulnerability in internet-connected hardware such as firewalls.

ShinyHunters is currently one of the most active threat actors, who have recently broken into dozens of organizations through vishing (voice phishing) scams. They would impersonate technical support, or IT operatives, and trick the victim into resetting their 2FA and login credentials, and then access the system via Okta single sign-on or a similar service.

In this case, however, a member of the group told The Register they accessed Wynn's systems in September 2025 via an Oracle PeopleSoft vulnerability using an employee's credentials.

