MGM Resorts Data Breach Exposes Details Of 10.6 Million Guests
Melia Revard
Exposed data included names, addresses, phone numbers, dates of birth, and email addresses.
MGM Resorts confirmed the breach occurred in the summer of 2019. The hotel chain said affected hotel guests were promptly notified last year when the breach was discovered. It is believed that guests whose information was exposed stayed at MGM Resorts in 2017 and earlier.
The MGM Resorts data breach was discovered in the summer of 2019, but the breach became public on February 20, 2020, when ZDNet published an article about the data security incident.
ZDnet contacted MGM Resorts, which confirmed the breach.
"Last summer, we discovered unauthorized access to a cloud server that contained a limited amount of information for certain previous guests of MGM Resorts," MGM told ZDNet.
Information accessed in the breach was posted on a hacking forum this week. The hacker who released the information is believed to have ties to the hacking group GnosticPlayers.
GnosticPlayers posted more than 1 billion records on hacking forums in 2019, security researcher Irina Nesterovsky told ZDNet.
ZDNet contacted MGM Resorts with leaked guest data found on the hacking sight. MGM was able to match the information with data accessed in the summer 2019 data breach.
If you've stayed at an MGM Resorts hotel, you may be among victims of the latest massive data breach. The personal details of more than 10.6 million hotel guests were recently posted on a hacking forum, and ZDNet has confirmed the data's authenticity. ZDNet said the data dump contains affected guests' full names, home addresses, phone numbers, emails and dates of birth. Names and information in the breach include tech CEOs, celebrities, government officials and reporters.
Upon being notified about the breach, the MGM Resorts team told the publication that the company was able to trace the leaked data back to a security breach that took place last year. MGM said that last summer, it discovered an unauthorized entry to a cloud server that housed some information for "certain previous guests" to its hotels.
The spokesperson emphasized that the company is confident "no financial, payment card or password data was involved in this matter." And it seems to be much smaller in scale compared to the Marriott security breach, which exposed 500 million guests' details, including 5 million unencrypted passport numbers. Nevertheless, as breach monitoring service Under the Breach told ZDNet, the leaked information is enough to make affected guests a target of spearphishing attacks and SIM-swapping schemes. Details from the breach have been added to the Have I Been Pwned database, and you can register there for a notification of whether your email address is among those included.Turn on browser notifications to receive breaking news alerts from EngadgetYou can disable notifications at any time in your settings menu.Not nowTurn onTurned onTurn on
The Identity Theft Resource Center reports that there were 1,473 known data breaches in 2019. These attacks affect the data of millions of people. A compromised identity can have consequences that last for years. One of the most visible data breaches of 2019 was the MGM Grand breach that exposed the information of 10.6 million former hotel guests.
The size and the severity of this MGM Resorts security incident pale in comparison to the massive data breach that impacted Marriott hotels in 2017 when the details of hundreds of millions of users were stolen by Chinese state-sponsored hackers.
A hacking forum this week published details of more than 10.6 million guests who stayed at MGM Resorts, the result of a breach due to unauthorized access to a cloud server that occurred at the famous Las Vegas hotel and casino last summer.
ZDNet confirmed the authenticity of the data on Wednesday. None of the hotel guests whom the news outlet contacted had stayed at the hotel more recently than 2017. But regardless of how long ago the initial breach happened, the personally identifiable information (PII) is still valuable for use in spearphishing campaigns or in SIM-swap attacks, as Under the Breach told ZDNet.
However, as per the latest reports, the number of affected users is way higher than this. Reportedly, around 142 million customers could have been affected by the breach as it has been discovered that a hacker is selling a large database of MGM Resorts customers.
Hackers got a hold of the personal information of 10.6 million guests of the MGM Resorts hotels chain last summer, but this week hackers posted the data to a popular hacking forum, according to reports from ZDNet and the BBC.
The 2020 data breach exposed email addresses, IP addresses, and other details stored in a support case analytics database. (Microsoft says that no other personal information was stored in the database.)
The leaked contact information for millions of former hotel guests included records of celebrities that included Justin Bieber, Twitter CEO Jack Dorsey, and a number of government officials. MGM insists that no credit card information or passwords were exposed in the data breach.
In July of 2020, researchers discovered an ad on a dark web marketplace offering the records of more than 142 million MGM guests for the bargain price of $2,900. The offer suggests that the original breach may have been far worse than previously indicated.
U.S. casino operator MGM Resorts International said on Thursday it was the victim of a data breach last year after an earlier report claimed that details of over 10.6 million hotel guests had been compromised.
Marriott's privacy concerns were amplified by the private details the hotel logged of its guests. Travel preferences, patterns and habits are all documented. Malicious actors could use the information to compile fraudulent profiles of the elite class of guests. They could also use the data to personalize secondary attacks, such as phishing schemes.
February 20, 2020: Over 10.6 million hotel guests who have stayed at the MGM Resorts have had their personal information posted on a hacking forum. The data dump exposed includes names, home addresses, phone numbers, emails, and dates of birth of former hotel guests. Updated July, 15 2020: Researchers found 142 million personal records from former guests at the MGM Resorts hotels for sale on the Dark Web, hinting that the original breach was larger than previously announced.
April 6, 2020: A digital wallet app, Key Ring, left stored customer data of 14 million users accessible in an unsecured database. The app allows its users to easily upload and store scans and photos of membership and loyalty cards to a digital folder in their mobile device. The exposed data includes names, full credit card details (including CVV numbers), email address, birth date, address, membership ID numbers, retail club and loyalty card memberships, government IDs, gift cards, medical insurance cards, medical marijuana IDs, IP address and encrypted passwords.
May 20, 2020: The information belonging to 8 million users of the home meal delivery service, Home Chef, was found for sale on the dark web after a data breach. The data found for sale includes names, email addresses, phone numbers, addresses, scrambled passwords and the last four digits of credit card numbers.
May 20, 2020: Over 40 million users of the mobile app, Wishbone, had their personal information up for sale on the dark web. Usernames, emails, phone numbers, location information and hashed passwords were exposed in a data breach before being advertised in a hacking forum.
July 26, 2020: A third-party breach leaked the account details of over 7.5 million users of the digital banking app, Dave. Although no financial information was disclosed, the breach exposed names, phone numbers, emails, birth dates, home addresses and encrypted Social Security numbers.
July 28, 2020: The video creation platform, Promo.com, confirmed their 22 million customers have had their personal and account information exposed in a third-party data breach. The compromised data includes names, email addresses, IP addresses, user location, gender and encrypted passwords.
August 21, 2020: Freepik, a free image database, sent out a breach notification to 8.3 million users that their account login information was exposed through injected malware on their website. The malware collected emails of all users and hashed passwords of 3.77 million users.
September 14, 2020: An undisclosed number of customers of the office retail giant, Staples, received email notification disclosing their information has been exposed in a data breach. The breached information includes customer names, addresses, email addresses, phone numbers, last four credit card digits and order details.
October 20, 2020: Security researchers at Comparitech discovered an unsecured database containing the records of more than 350 million customers along with call transcripts belonging to the cloud-based communication company, Broadvoice. The exposed Elasticsearch database enclosed personal details such as caller names, caller identification number, phone number and location along with voicemail transcripts.
November 5, 2020: A database containing staff, users, and subscribers data of the online media company, Mashable.com, was leaked by hackers and reported publicly on November 8th. The breached data was later detected on the dark web on December 16th. The database contains 1,852,595 records, including names, email addresses, country, gender, job description, online behavior related details, date of registration, IP addresses, social media profile links and authentication tokens.
November 11, 2020: Animal Jam, a popular online game for kids, was hacked and 46 million account records were compromised in a data breach. The databases belonging to WildWorks, the company behind Animal Jam, were posted to an online hacking forum on the dark web. The data included information related to children and parent accounts, including usernames, emails, passwords, birth dates and billing addresses connected to PayPal accounts.
eebf2c3492