Las Vegas MGM was hacked; details of over 10 million guests exposed online

A data breach has compromised the information of millions of people who have stayed at MGM Resorts hotels, including Las Vegas’ MGM Grand. According to an information security firm, the personal data of 10.5 million customers of the hotel chain were extracted from the company’s databases and posted on a hacking forum. The compromised information includes details of celebrities, athletes, entrepreneurs and government officials from all over the world.

According to an analysis by security firm ZDNet, the shared information contains a total of 10, 683,188 records belonging to former guests in the hotel chain. Among the exposed data we can find:

  • Full names
  • Addresses
  • Email addresses
  • Phone numbers
  • Birth dates

After questioning the hotel chain, a representative of MGM Resorts said their information security team was already aware of the incident, as it was detected more than a year ago. In addition, the spokesperson stated that users were notified as soon as the data breach was detected, and that the posting of this information on the hacking forum occurred just a few days ago. “We are confident that financial information as payment card data or confidential numbers were not compromised during this incident,” the spokesperson added.

The MGM Resorts’ database, found in a Russian-speaking forum

However, not everyone trusts the company’s official position. For example, Irina Nesterovsky, research director at information security firm KELA, says the MGM Resorts database began circulating various hacking forums from July 2019. In addition, the researcher suggests that those responsible for the leak are related to GnosticPlayers, a hacker (or hacker group) associated with various incidents of data breaches.

Given the nature of the data breach, the information exposed can be very useful for multiple hacker groups. Malicious activities that users might be exposed to include SIM exchange attacks, phishing campaigns, harassment, and extortion, among other variants of fraud.

Although the hotel chain claims that the information exposed is outdated, the International Institute of Cyber Security (IICS) considers the incident to expose users equally, as the sophistication of hacker groups allows generate detailed profiles even on the basis of inaccurate or old information.