Data of 10.6m MGM hotel guests posted for sale on Dark Web forum

The personal data of 10,683,188 MGM hotel guests that leaked sometime in or before 2017 was posted for sale on the Dark Web this week, ZDNet reports.

It doesn’t matter that the data isn’t freshly baked: it’s still edible. ZDNet called hotel guests whose details were included in the data dump and found that, while some of the phone numbers had been disconnected, many were still valid, as “the right person answered the phone.”

The data was first spotted by an Israeli security researcher calling themselves Under the Breach who claims to have “deep relations” with various threat actors that gives them “pre-breach information on many publicly traded companies.”

Under the Breach says they spotted some Vegas-big names among the leaked guest records, including Twitter CEO Jack Dorsey, pop star Justin Bieber, and government officials from the Department of Homeland Security (DHS) and the Transportation Security Administration (TSA).

Under the Breach came across the leaked files on an online forum commonly used by hackers, they told Business Insider. The researcher said that they’d cross-referenced the information with publicly available data and emails that had been exposed in previous breaches.

A spokesperson for MGM Resorts confirmed the security breach, saying that the data is old. The dump included full names, addresses, phone numbers, emails and birthdays, but MGM says that no payment information was compromised. The hotel chain hasn’t confirmed the identity of any of the affected guests; nor has Twitter commented on whether or not Dorsey’s information was involved.

ZDNet confirmed the authenticity of the data on Wednesday. None of the hotel guests whom the news outlet contacted had stayed at the hotel more recently than 2017. But regardless of how long ago the initial breach happened, the personally identifiable information (PII) is still valuable for use in spearphishing campaigns or in SIM-swap attacks, as Under the Breach told ZDNet.

An MGM spokesperson told ZDNet that the data came out of a security breach that happened last year:

Last summer, we discovered unauthorized access to a cloud server that contained a limited amount of information for certain previous guests of MGM Resorts. We are confident that no financial, payment card or password data was involved in this matter.

The hotel chain said that it had promptly notified all affected hotel guests in accordance with applicable state laws. ZDNet wasn’t able to find any of those notifications, but it did find posts dating to August 2019 on the Vegas Message Board from people who said that they’d been alerted to the July breach.

The sale of the records has been linked to the threat actor known as GnosticPlayers, which has claimed responsibility for multiple big breaches, including the September 2019 hack of online social game maker Zynga, the massive hack of 26 million records stolen from another six online companies in March 2019, and plenty more.

The tally of records put up for sale on the Dark Web by GnosticPlayers spirals ever upward: in 2019, the entity dumped more than a billion user records, ZDNet reports.


Latest Naked Security podcast

go top