TL;DR: ShinyHunters breached Wynn Resorts in September 2025 using an Oracle PeopleSoft vulnerability and stolen employee credentials. They sat on the data for five months before demanding $1.5 million in Bitcoin on February 20, 2026. After the February 23 deadline passed, Wynn confirmed the breach, but also claimed the attackers "have stated that the stolen data has been deleted." Translation: they probably paid. Security experts say there's no way to verify data deletion. If you work at Wynn, your SSN, salary, birthday, and employment details are in criminal hands. Wynn is offering free credit monitoring.
How It Happened
September 2025: ShinyHunters exploited an Oracle PeopleSoft vulnerability to breach Wynn Resorts' HR systems [1]. They used compromised employee credentials to authenticate, though they haven't said whether those credentials came from phishing, credential stuffing, or purchase on a dark web marketplace.
The attackers had access for five months before anyone noticed. That's five months to copy, analyze, and exfiltrate 800,000 employee records.
February 20, 2026: ShinyHunters posted Wynn Resorts on their leak site, demanding 22.34 Bitcoin (about $1.5 million) [2]. They gave Wynn until February 23 to pay, threatening to publish everything and cause "several annoying (digital) problems."
February 23: The deadline passed.
February 25: Wynn confirmed the breach publicly. In the same statement, they claimed the attackers said they'd deleted the data. Wynn has since been removed from ShinyHunters' leak site [3].
Connect the dots.
What's in the Breach
Samples reviewed by security researchers show the stolen data includes [4]:
- Social Security numbers, the crown jewel of identity theft
- Full names
- Email addresses, personal and work
- Phone numbers
- Job titles and positions
- Salary information
- Employment start dates
- Dates of birth
- Other HR data, likely benefits, emergency contacts, bank account info for direct deposit
This isn't just email addresses and passwords. This is everything an HR system holds on an employee. The kind of data that enables synthetic identity creation, tax refund fraud, and targeted social engineering for years.
Wynn employs roughly 29,000 people globally [5]. ShinyHunters claims over 800,000 records, likely including former employees, contractors, and duplicate entries across Wynn's properties in Las Vegas, Macau, and Boston.
Did Wynn Pay the Ransom?
Wynn's statement is careful: "The unauthorized third party has stated that the stolen data has been deleted, and Wynn is monitoring and to date has not seen any evidence that the data has been published or otherwise misused" [6].
That's not a denial. That's a company's legal team threading a needle.
Wynn declined to confirm or deny whether a ransom was paid. But here's what we know:
- ShinyHunters removed Wynn from their leak site
- No employee data has been published
- Wynn is now claiming attackers deleted everything
Security experts aren't buying it. Dray Agha, security manager at Huntress, told The Register: "There is absolutely no reliable way to verify that an extortionist has permanently deleted stolen data" [7].
Once data leaves your network, it's gone. You can't unring that bell. The attackers might delete their copies. They might sell them. They might hold them for a second extortion attempt in six months. Companies that pay ransoms are betting on the honor of criminals.
ShinyHunters' February Rampage
Wynn joins an ever-growing list of ShinyHunters victims in 2026. The group has been absolutely relentless:
- CarGurus: 12.5 million customer records dumped
- Odido (Dutch telecom): 6 million subscriber records
- Harvard and UPenn: 2.2 million alumni records
- Betterment: 1.4 million investment accounts
- Figure: 967,000 fintech customers
- Panera Bread: 5.4 million customers
- TransUnion (via Salesforce): credit data
Most of these came through voice phishing: calling employees and tricking them into handing over SSO codes. Wynn's attack was different: an unpatched Oracle PeopleSoft vulnerability gave attackers their entry point.
Different technique, same result. Another company loses control of sensitive data.
Casinos Keep Getting Hit
Wynn is the latest casino operator to fall victim to cybercrime. The sector has become a favorite target:
- September 2023: MGM Resorts shut down for days after Scattered Spider social engineered their way in. Cost: $100+ million.
- September 2023: Caesars Entertainment paid $15 million ransom after a similar attack.
- January 2026: Multiple casino operators reported probing attempts from the same threat actor groups.
Casinos are appealing targets. They process massive amounts of financial transactions, hold extensive customer and employee data, and operate complex IT systems across multiple properties. Their workforce includes thousands of employees with varying levels of security awareness.
ShinyHunters didn't even need to social engineer anyone. They found an unpatched Oracle vulnerability and walked through the door.
What Wynn Employees Should Do
Assume Your SSN Is Compromised
Don't wait for Wynn to notify you officially. Act now. Your Social Security number may be circulating in criminal marketplaces.
Freeze Your Credit
Free at Equifax, Experian, and TransUnion. Prevents anyone from opening new accounts in your name. You'll need to temporarily lift the freeze when you legitimately need credit.
Use Wynn's Free Monitoring
Wynn is offering complimentary credit monitoring and identity protection services. Take them up on it: it's the least they can do.
File an IRS Identity Protection PIN
Get a six-digit PIN from the IRS that prevents anyone else from filing a tax return in your name. Request one at IRS.gov.
Watch for Targeted Phishing
Attackers now know where you work, how much you make, and when you started. Expect convincing fake emails about "payroll updates," "benefits changes," or "W-2 issues."
Monitor Your Bank Accounts
If direct deposit info was in the breach, attackers might try to redirect your paychecks. Verify your banking details with HR in person.
Trust, But Verify? You Can't.
Wynn's response relies on taking criminals at their word. "The attackers said they deleted everything." Cool. And I'm sure they pinky-promised too.
The uncomfortable truth: once data is stolen, it's stolen forever. There's no undo button. No magical deletion verification. You're trusting that the same people who exploited your systems, stole your employees' identities, and demanded $1.5 million are now going to be honest about destroying evidence.
800,000 employees deserve better than faith-based security. They deserve to know if Wynn paid the ransom. They deserve to understand that "deleted" means nothing when copies can exist anywhere.
What they'll get instead: credit monitoring and a hope that their Social Security numbers don't surface on a darknet marketplace next month.
References
- The Register - ShinyHunters demands $1.5M not to leak Wynn Resorts data (February 20, 2026)
- Yogonet - Wynn Resorts hit by cyberattack, hackers demand $1.5 million ransom (February 24, 2026)
- The Register - Wynn Resorts confirms data stolen after ShinyHunters threats (February 25, 2026)
- Las Vegas Review-Journal - Wynn Resorts reportedly cyberattacked and asked to pay $1.5M ransom (February 2026)
- Yahoo Finance - Wynn Resorts says hackers stole employee data (February 2026)
- CDC Gaming - 'Stolen data has been deleted': Wynn Resorts releases statement on cyberattack (February 2026)
- SC Media - ShinyHunters extorts Wynn Resorts after alleged data breach (February 2026)
Published: February 26, 2026