MGM Resorts Leaks Private Data of 10.6 Million Clients, Celebrities Included

MGM Resorts Data Breach

Catalin Cimpanu, a reporter at ZDNet, was tipped off about a massive data dump that was recently posted on a hacking forum. He took a look and realized that the compromised information belonged to people who had stayed at MGM Resorts hotels. With the help of a researcher from Under the Breach, Cimpanu confirmed the legitimacy of the leak and got in touch with the hotel chain. An MGM spokesperson said via email that the information did indeed belong to hotel guests, but they were quick to point out that people's credit card details were not involved.

Some of you may think that this makes the breach a lot less dangerous, but as we'll find out in a minute, this is not really the case. Before we get to the potential consequences, however, let's see what was leaked and who had access to it.

Hackers stole the personal information of more than 10.6 million hotel guests in 2019

The breach apparently happened last summer, and although it didn't officially announce it, MGM did contact at least some of the affected individuals to let them know about the incident. As Cimpanu noted, people did discuss the breach notifications at the time, but the leak failed to gain any interest from the media, which, considering what's in the dump, is somewhat strange.

During the attack, the hackers managed to make off with the personal details of 10,683,188 hotel guests. The leaked information included names, home and email addresses, telephone numbers, and dates of birth. Cimpanu and Under the Breach's researcher tried contacting a few of the people in the database, and although some of the phone numbers were no longer valid, guests did reply and said that they had stayed at MGM hotels prior to 2018.

Celebrities, reporters, and government officials were also affected

MGM Resorts is a massive chain of luxury hotels, and in light of this, it probably shouldn't be too surprising that, as the leaked database shows, some well-known names have used its locations.

Under the Breach's researcher told ZDNet that the database contains the details of DHS and TSA officials, and Cimpanu himself saw the names of quite a few well-known reporters who have stayed at MGM locations during conferences and high-profile events. The breach also hit pop star Justin Bieber and Twitter's CEO, Jack Dorsey, although it remains unknown whether they, like other guests, were privately informed about the attack.

The potential damage is significant

Inevitably, parallels are drawn between MGM's breach and 2017's attack on Marriot hotels. At around 500 million, the number of affected guests by Marriot's leak is far greater, but this doesn't mean that Dorsey, Bieber, and the rest of the people whose information is in the MGM dump should relax. The compromised data has already been in criminals' hands for at least six months, and now, it's available to anyone who wants to download it. The absence of credit card details is no reason to underestimate the breach, either.

To emphasize the potential consequences of the leak, Catalin Cimpanu shared his thoughts on how the stolen information could have helped hackers compromise Jack Dorsey's Twitter account. As some of you may remember, in August last year, crooks hijacked Dorsey's microblogging account after mounting a SIM swapping attack against him, and Cimpanu speculates that they may have retrieved his phone number from MGM's database. Of course, this is, in the reporter's own words, a "wacky theory" that can't be confirmed or denied, but the fact of the matter is, nothing about it can be classified as "impossible."

In addition to SIM swapping, people affected by MGM's breach must also be on the lookout for targeted spear phishing attacks, and, given the presence of home addresses in the database, they might also want to think about their physical security. After all, the information is now public, and nobody knows who might be tempted by the Download button.

February 20, 2020

Leave a Reply