MGM Data Breach Magnitudes Larger Than First Reported, Up to 142 Million Guests

  • MGM said in February 2020 that the 2019 data breach exposed 10.6 million guest records
  • A hacker has put the information of over 142 million guests up for sale on the dark web
  • The hacker allegedly broke into the DataViper servers, but the company owner disputes that
  • Basic personal information was acquired, but financial records were not
Faceless man in hoodie at a laptop
A hacker is selling the personal information of 142 million MGM Resorts guests on the dark web; the data is from the same 2019 breach that was originally reported in February 2020. [Image: Shutterstock.com]

MGM knew in February

New evidence shows that the 2019 MGM Resorts International data breach may have been significantly larger than initially believed. According to ZDNet, hackers appear to have the personal information of over 142 million hotel guests – 13 times more than the 10.6 million records that were reported in February of this year.

MGM has admitted that it knew the actual size of the data breach

This new figure comes from an ad posted on what ZDNet calls a “dark web cybercrime marketplace.” The hacker claims they have 142,479,937 guest records, offering them up for only $2,939.76.

MGM has admitted that it knew the actual size of the data breach, even though it only acknowledged the 10.6 million figure in February.

“MGM Resorts was aware of the scope of this previously reported incident from last summer and has already addressed the situation,” a company spokesperson told ZDNet. In “addressing” the situation, MGM means that it notified or attempted to notify customers who were impacted by the security failing.

Server owner disputes hacker’s claims

The hacker says that they obtained the MGM records by breaking into the servers of DataViper, a “data leak monitoring service” run by Night Lion Security. Night Lion’s founder, Vinny Troia, vehemently denies that it was his firm that was the hacker’s treasure trove, telling ZDNet that his company never even had MGM’s data.

On Monday, the hacker posted on a dark web site that they collected 8,225 databases during a three-month stint digging into DataViper’s servers. The person provided proof, including data samples.

The hacker also posted ads on a dark web marketplace, offering up another 50 DataViper databases for sale. The ads include databases allegedly from video game developers Ubisoft and Epic Games, the latter of which is titled “Fornite Emails” with 56.7 million records. Also on the list are databases supposedly including customer data from eHarmony and Instagram.

ZDNet says that most of the databases the hacker listed were from previously known breaches. Troia says that that the hacker only accessed a test server and was likely selling their own data, not anything they got from DataViper.

All they had access to was a dev environment.”

“When people think they are above the law, they get sloppy,” Troia said in a formal statement. “So much so they forget to look at their own historical mistakes. I literally detailed an entire scenario in my book where I allowed them to gain access to my web server in order to get their IPs. They haven’t learned. All they had access to was a dev environment.”

No financial data exposed

Fortunately, it does not appear that any extremely sensitive MGM customer information was leaked. In February, the company said that the “vast majority” of the data consisted of basic personal information such as names, physical addresses, and e-mail addresses.

Financial information, social security numbers, reservation details, and other identification information were not part of the data haul. ZDNet verified the database contacts both in February and from the latest batch over the weekend. The IT news site used phone number and date of birth information to contact some of MGM’s customers to confirm the veracity of the data.

experts advise everyone to use two-factor authentication, strong, unique passwords, and other measures to beef up account security

Experts say that those affected by the data breach likely do not have to worry too much, as the information acquired is mostly readily available to the public, obtainable by a basic internet search. Thus, someone accessing a customer’s financial accounts or the like is improbable. That said, having all that information in one place does make the first steps in identity theft easier, so experts advise everyone to use two-factor authentication, strong, unique passwords, and other measures to beef up account security.