Researchers have found 142 million personal details from former guests at the MGM Resorts hotels for sale on the Dark Web, evidence that a data leak from the hotel chain last summer may be far bigger in scope than previously thought.
An advertisement on a hacker forum has put 142,479,937 details from “MGM Grand Hotels” guests up for sale for more than $2,900, according to a published report on ZDNet.
In the ad, the hacker makes a connection between the newly advertised credentials and a previously known leak of personal details of more than 10.6 million guests who had stayed at MGM Resorts. That breach, news of which surfaced in February, was attributed to unauthorized access to a misconfigured cloud server that occurred at the hotel chain last summer.
“However, what was not reported was that MGM Grand Hotels was also breached, consisting of 142 million entries,” according to the underground forum ad.
MGM Resorts International is the parent company for the MGM Grand as well as some of the most iconic and well-known resorts in Las Vegas, including the Bellagio, Mandalay Bay, the Mirage and Luxor.
As there is no “MGM Grand Hotels” in the chain—merely the MGM Grand and the parent company MGM Resorts — it’s not entirely clear which properties specifically contributed the 142 million credentials being sold online. However, given the number of credentials offered, it seems fairly safe to assume they are from guests at hotels across the resort chain.
The latest cache of 142 million MGM details are the result of a breach of DataViper, a data leak monitoring service operated by Night Lion Security, the hacker claimed in the ad. According to an investigation from Brian Krebs, Data Viper “provides access to some 15 billion usernames, passwords and other information exposed in more than 8,000 website breaches.” Hackers claim to have posted its databases online, which include a full 2 billion records collected from other companies during past security breaches.
However, ZDNet in a separate report Monday also claimed to have spoken with Vinny Troia, founder of Night Lion, who said his company never owned a copy of the full MGM database, suggesting that the 142 million credentials could not have come from that breach.
It’s also unclear if the 10.6 million credentials from MGM Resorts posted to a hacking forum earlier this year is included in the database of 142 million currently up for sale, or if they are two separate data stores. The smaller database included personal information — such as full names, home addresses, phone numbers, emails and dates of birth — from celebrities, tech CEOs, reporters, government officials, and employees at some of the world’s largest tech companies. Among the famous names cited in reports of the link were Twitter CEO Jack Dorsey and pop music star Justin Bieber. The database also had details for officials from the Department of Homeland Security and the Transportation Safety Authority, according to reports.
MGM Resorts already has acknowledged that there was indeed a data breach at its organization, though it did not publicize the incident nor has said how many credentials were breached.
However, the company did say it notified affected clients about the breach, something that appeared to be true according to a comment made on a site called VegasMessageBoard in August 2019. A community member posted on the site and said he’d been notified that his data had been stolen at MGM Resorts a month earlier, in July.
There is evidence that the breach could have affected up to 200 million MGM clients, according to Tuesday’s ZDNet report, which cited posts on Russian-speaking hacking forums promoting the sale of even more MGM credentials.