The personal information of over 10.6 million guests of MGM Resorts hotels, including their full names, email and street addresses and phone numbers, has been posted to an online hacking forum.
The huge data trove includes the contact details of celebrities including Justin Bieber and technology CEOs including Twitter boss Jack Dorsey, as well as reporters, government officials and regular tourists. MGM operates a number of hotels in Las Vegas, as well as in Japan and China.
- Microsoft admits exposing 250m customer service records
- Data Breach Weekly Security Report
- Millions of Americans caught up in massive SMS data leak
Victims of the data breach were contacted by MGM Resorts in August 2019, a month after the data was stolen. But now the data is freely available online to anyone who looks in the right place. MGM says the data did not include passwords or any financial information.
The posting of the data on a hacking forum was reported by ZDNet, to which an MGM spokesperson confirmed the data is legitimate and comes from a 2019 security incident. MGM "discovered unauthorized access to a cloud server that contained a limited amount of information for certain previous guests of MGM Resorts" the spokesperson said.
Although the data is a few years old - it includes no information on guests who stayed after 2017 - much of the data is still valuable to hackers and con artists.
MGM Resorts owns several hotels in Las Vegas Getty Images/iStockphoto
For example, ZDNet found phone numbers in the database that are still connected and belong to the person named in the database. This could potentially open them up to a SIM-swapping attack, where a new SIM card in the victim's name is acquired from their cell company and used to read two-factor authentication codes text to the number.
The availability of millions of valid email addresses also opens up the victims of this breach to simpler attacks like malware and phishing campaigns.
In total, the personal contact details of 10,683,188 MGM Resorts guests has been exposed. The data included full names, home addresses, phone numbers, email addresses and dates of birth.
ZDNet contacted some of the people in the database and confirmed they had stayed at MGM Resorts hotels, and the stolen data is accurate. "We got confirmation from international business travellers, reporters attending tech conferences, CEOs attending business meetings, and government officials traveling to Las Vegas branches," the report says.
Bitdefender BOX 2 (Latest Version) - Complete Home Network Protection for Your WiFi, Computers, Mobile/Smart Devices and More, Including Alexa and Google Assistant Integration - Plugs Into Your Router