MGM Resorts Data Hack: Customer Info Stolen in 2019 Posted on Telegram

Posted on: May 26, 2022, 10:35h. 

Last updated on: May 26, 2022, 12:58h.

An 8GB database containing the personal data of around 30 million MGM Resorts guests has been publicly shared on social messaging channel Telegram.

MGM data
MGM’s iconic lion at the MGM Grand. The operator confirmed the cyberattack of almost three years ago ocurred and says it continues to strengthen security measures to protect guest data. (Image: LVRJ)

The data dump was discovered by vpnMentor Research Team, a pro bono service that battles cyber threats while educating organizations on protecting their users’ data. It was shared on Telegram on May 22, 2022, according to vpnMentor.

The dump contains more than 142 million records that include names, postal addresses, email addresses, phone numbers, and dates of birth of MGM customers. Among them are celebrities, government officials, and journalists, including Twitter founder Jack Dorsey and the singer Justin Beiber.

This is not the first time the stolen data has surfaced, but it’s the first time it has been made accessible to anyone without the technical ability to access a dark web cybercrime market.

‘Night Lion’ Cyber Attack

MGM confirmed in February 2020 it had suffered a data breach the previous summer. That was after more than 10 million records were published on a Russian hacking forum, while all 142 million went on sale on the dark web for US$2,900.

On July 14th, 2020, reported that the databases were stolen by a hacker or hackers calling themselves “NightLion.” They achieved this by targeting a data-leak monitoring service called DataViper, operated by a company called Night Lion Security, according to Hackread. Night Lion has denied that it ever had access to the full MGM database.

“This is not a new incident and involves an event reported in 2019 that was subsequently addressed by MGM Resorts,” the operator told Thursday. “We continually seek to strengthen and enhance our security measures to protect guest data.”

The good news is that no financial, payment card, or password data was stolen in the breach. The bad news is that the sensitive information could be used by phishing scammers, and the inclusion of dates of birth could allow them to target the elderly.

Meanwhile, the inclusion of phone numbers could facilitate SIM-swapping operations. These are where scammers use stolen information to convince mobile providers to switch a number to a different phone, enabling them to intercept authentication codes delivered by SMS.

Attacks on the Rise

FBI’s annual Internet Crime Report recorded 51,629 identity-theft complaints in 2021, compared to 43,330 the year prior, an increase of 19 percent. These crimes cost businesses and individuals over $278 million last year, the FBI said.

Land-based casinos are increasingly the target of cybercriminals, who often demand ransom in the form of cryptocurrency in return for restoring normal operations.

In 2019, hackers were able to steal an unnamed Las Vegas casino’s high-roller database by gaining access to its computer network via a smart thermostat in its fish tank.