Did You Stay At An MGM Hotel? Data Of 10.6 Million Guests Hacked

A hacking site has published the personal details of more than 10.6 million people who stayed at MGM Resorts hotels, including contact details for celebrities, tech CEOs, reporters and government officials.

ZDNet said Wednesday it had verified the authenticity of the data with the help of the soon-to-be-launched data breach monitoring service Under the Breach, which noted those affected face a higher risk of phishing emails and cellphone hijacking.

The data, which was stolen in July, included full names, home address, phone numbers, emails and dates of birth, ZDNet reported. The New York Times reported more sensitive data – driver’s licenses, passports or military ID cards – from about 1,300 guests were exposed. Those affected included tourists, conference and meeting attendees, and government officials visiting Las Vegas branch offices.

In 2018, hackers compromised the data of some 500 million people who stayed at the Marriott hotel chain.

MGM said the data breach occurred last summer and involved records dating to 2017 and earlier. The company said no financial, payment card or password data were compromised.

“We discovered unauthorized access to a cloud server that contained a limited amount of information for certain previous guests of MGM Resorts," MGM said.

The company said it notified all those impacted and hired two forensic cybersecurity firms to investigate the incident. It said it has taken action to strengthen its security to prevent a future incident. The company, however, did not disclose which of its properties were affected.

Irina Nesterovsky, who heads research at threat intel firm KELA, told ZDNet the hack was believed conducted by an individual associated with GnosticPlayers, a hacking group that has provided more than 1 billion hacked user records.

Among those affected by the MGM breach were Twitter CEO Jack Dorsey and pop star Justin Bieber. Also on the list was Stephen Paddock, who opened fire from the Mandalay Bay Resort, killing 58 people at an Oct. 1, 2017, music festival before killing himself.

Email addresses indicate other stolen data belonged to people working for the departments of Homeland Security and Justice, the FBI and the Transportation Security Administration. A man with a Secret Service address told NBC News he had not been contacted about the breach.

"MGM Resorts failed at protecting their customers' data," Lou Rabon, founder and CEO of the security company Cyber Defense Group, told NBC, adding the breach is just "another example of why companies need to be constantly vigilant with their cybersecurity program and practices."