A hacker is selling details of 142 million MGM hotel guests on the dark web

EXCLUSIVE: The MGM Resorts 2019 data breach is much larger than initially reported.
Written by Catalin Cimpanu, Contributor
MGM Resorts
Image: Thomas Haas

The MGM Resorts 2019 data breach is much larger than initially reported, and is now believed to have impacted more than 142 million hotel guests, and not just the 10.6 million that ZDNet initially reported back in February 2020.

The new finding came to light over the weekend after a hacker put up for sale the hotel's data in an ad published on a dark web cybercrime marketplace.

According to the ad, the hacker is selling the details of 142,479,937 MGM hotel guests for a price just over $2,900.

Image: ZDNet

The hacker claims to have obtained the hotel's data after they breached DataViper, a data leak monitoring service operated by Night Lion Security.

Vinny Troia, founder of Night Lion Security, told ZDNet in a phone call that his company never owned a copy of the full MGM database and that the hackers are merely trying to ruin his company's reputation.

MGM says it notified all impacted users

Reached out for comment on Sunday, MGM Reports issued a statement claiming they were aware of the scope of the breach.

The MGM breach occurred in the summer of 2019 when a hacker gained access to one of the hotel's cloud servers and stole information on the hotel's past guests.

MGM learned of the incident last year, but never made the security breach public, but notified impacted customers, according to local data breach notification laws.

The security breach came to light in February 2020 after a batch of 10.6 million MGM hotel guests' data was offered as a free download on a hacking forum. At the time, MGM admitted to suffering a security breach, but the company didn't disclose the full breadth of the intrusion.

"MGM Resorts was aware of the scope of this previously reported incident from last summer and has already addressed the situation," an MGM spokesperson told ZDNet in an email today, referring to the company's efforts to notify impacted users.

An MGM spokesperson also pointed out that "the vast majority of data consisted of contact information like names, postal addresses, and email addresses."

Financial information, ID or Social Security numbers, and reservation (hotel stay) details were not included, MGM said in February, which ZDNet is able to confirm after reviewing two different batches of MGM data -- the 10.6 million user records leaked in February and a newer 20 million batch shared by the hackers on Sunday.

Dates of birth and phone numbers were also included, which is how we were able to confirm the breach in the first place, by contacting past hotel guests.

Bigger than 142 million?

However, the MGM data could be even bigger than the 142 million count we have today.

Irina Nesterovsky, Head of Research at threat intel firm KELA, told ZDNet back in February that the MGM data had been circulating and was being sold in private hacking circles since at least July 2019.

Posts on Russian-speaking hacking forums promoted the MGM data breach as containing details on more than 200 million hotel guests.

Image: KELA (supplied)

Article updated shortly after publication to clarify language.

The worst IoT, smart home hacks of 2020 (so far)

Editorial standards