Wynn Resorts has confirmed that a hacker stole employee data from its systems after the company was listed on the ShinyHunters extortion gang's data leak site.

In a statement shared today, the company said it activated its incident response procedures and launched an investigation, with assistance from external cybersecurity experts, after discovering the breach.

"We have learned that an unauthorized third party acquired certain employee data," reads a statement shared with BleepingComputer.

"Upon discovery, we immediately activated our incident response protocols and launched a thorough investigation with the help of external cybersecurity experts."

While Wynn has not stated whether it paid a ransom to prevent the data leak, the company said the attackers confirmed the stolen data had been deleted. In past extortion cases, threat actors have typically only claimed data was deleted after reaching an agreement with a victim.

"The unauthorized third party has stated that the stolen data has been deleted. We are monitoring and to date have not seen any evidence that the data has been published or otherwise misused," the statement continued.

The company added that the incident did not impact guest operations or its physical properties, which remain fully operational, and that it is offering complimentary credit monitoring and identity protection services to employees.

ShinyHunters leak site listing

This statement comes after Wynn Resorts appeared on the ShinyHunters data leak site on Thursday.

In the threat actors' post, the group claimed it had stolen "PII (SSNs, etc) and employee data" and warned the company to make contact before February 23, 2026, or the data would be published.

"Over 800k records containing PII(SSNs, etc) and employee data have been compromised," reads the now-deleted post on ShinyHunters data leak site.

"This is a final warning to reach out by 23 Feb 2026 before we leak along with several annoying (digital) problems that'll come your way. Make the right decision, don't be the next headling."

Shortly after, the Wynn entry was removed from the site, a move that often occurs when negotiations are underway or claims are disputed.

Wynn Resorts did not answer questions about whether a ransom was paid or how many people were affected. Similarly, ShinyHunters told BleepingComputer that they had no comment on whether they received a payment.

However, the threat actors did previously claim to have stolen the data from the company's Oracle PeopleSoft environment.

ShinyHunters is a data extortion group known for breaching organizations and threatening to publish stolen data unless a ransom is paid.

The group has previously claimed responsibility for multiple high-profile data theft incidents and has operated across various underground forums and extortion portals over the years.

Last year, ShinyHunters conducted a widespread campaign to steal Salesforce data, targeting numerous companies through social engineering and stolen third-party OAuth tokens.

In recent weeks, ShinyHunters has claimed responsibility for a wave of other security breaches, including Panera Bread, Betterment, SoundCloud, Canada Goose, PornHub, and online dating giant Match Group.

Some of the victims were compromised through voice phishing (vishing) attacks targeting single sign-on (SSO) accounts at Google, Microsoft, and Okta, where the threat actors posed as IT support staff to trick employees into entering credentials and multi-factor authentication (MFA) codes on phishing sites.

As BleepingComputer first reported, the ShinyHunters group more recently adopted device code vishing to obtain Microsoft Entra authentication tokens.

After stealing their targets' credentials and auth codes, the threat actors hijack the victims' SSO accounts to steal data from connected SaaS applications such as Salesforce, Microsoft 365, Google Workspace, SAP, Slack, Adobe, Atlassian, Zendesk, Dropbox, and many others.