MGM Grand Breach Leaked Details of 10.6 Million Guests Last Summer

This week a hacking forum posted data from the breach—which included personal and contact details for celebrities, tech CEOs, government officials and employees at large tech companies.

A hacking forum this week published details of more than 10.6 million guests who stayed at MGM Resorts, the result of a breach due to unauthorized access to a cloud server that occurred at the famous Las Vegas hotel and casino last summer.

The incident—revealed in a published report on ZDNet Wednesday–once again highlights the importance of securing data stored on the cloud as well as the ripple effect breaches can have for companies and victims even long after they’ve occurred.

Personal details found on the forum included full names, home addresses, phone numbers, emails and dates of birth for 10,683,188 guests who had previously stayed at the MGM Resorts, according to the report. Those guests included celebrities, tech CEOs, reporters, government officials, and employees at some of the world’s largest tech companies.

ZDNet worked with a security researcher at Under the Breach, a soon-to-be-launched data-breach monitoring service, to confirm the authenticity of the data on the forum, and then reached out to MGM Resorts and some of the people affected by the breach for further confirmation.

MGM almost immediately confirmed the breach to ZDNet, linking it to a security incident that happened last summer, according to the report. Following the breach, the company conducted an internal investigation using two cybersecurity forensics firms, officials said.

“Last summer, we discovered unauthorized access to a cloud server that contained a limited amount of information for certain previous guests of MGM Resorts,” MGM said, according to the report. “We are confident that no financial, payment card or password data was involved in this matter.”

MGM alerted all guests who were affected at the time, something that also appeared to be true in a comment made in August on a site called VegasMessageBoard by a community member who said he’d been notified that his data had been stolen at MGM Resorts in July.

Though the breach happened last summer, the guest details—which included personal info for celebrities as diverse as Twitter CEO Jack Dorsey and pop music star Justin Bieber — were mostly out of date, MGM officials said.

Those researching the breach said they also were able to confirm this is likely true by contacting some of those affected—including international business travelers, reporters attending tech conferences, CEOs attending business meetings, and government officials–who said they had not stayed at the hotel since at least 2017, according to the report.

The breach is no surprise to security experts, who noted that it’s easy for organizations who lack proper security expertise to make simple mistakes when deploying cloud-based solutions that can cost them later when the data is exposed by the cyberthieves who stole it.

These type of breaches are all too common. In October, a cloud misconfiguration allow hackers to steal an AWS administrative API key housed in a compute instance left exposed to the public internet, one of the many ways cloud deployments can go wrong from a security perspective, one expert noted.

“Configuration errors, malicious insiders, server hacks and client-side threats can cause data breaches,” Gad Bornstein, security evangelist with PerimeterX said in an email to Threatpost. “Data from breaches invariably make it to the dark web. Data from multiple breaches help bad actors execute bot-driven account takeover attacks with better success.”

Indeed, the fear with this type of breach is that threat actors will use the data to launch these or other types of attacks—such as phishing or email-based scams–long after a breach occurs, and when the company affected and the victims think they are out of harms’ way.

“This is a great example of how these breaches and their fallout can continue to haunt businesses for quite some time,” Adam Laub, CMO at STEALTHbits Technologies, said in an email to Threatpost. “It’s likely MGM thought this incident was far in the rear view, but the value of their particular dataset continues to have appeal, despite its age and the potential staleness in certain spots.”

Suggested articles

It’s Not the Trump Sex Tape, It’s a RAT

Criminals are using the end of the Trump presidency to deliver a new remote-access trojan (RAT) variant disguised as a sex video of the outgoing POTUS, researchers report.