Data of 142 million MGM hotel guests is currently up for sale on the dark web.
In February 2020, it was disclosed that hotel chain MGM Resorts had suffered a data breach in summer 2019. MGM initially did not publicly disclose the breach but it was revealed by news site ZDNet after they discovered hotel guest information posted on a hacking forum. The breach was later confirmed by the hotel chain as well but the exact number of affected guests was not disclosed. At the time, MGM said it was unable to say how many customers were impacted because the exposed data was believed to be duplicated. ZDNet reported the number to be 10.6 million, based on the listing on a hacking forum.
According to MGM, they noticed that someone gained unauthorized access to a cloud server which contained information of past guests. Affected customers were promptly notified but the incident was not disclosed to the general public. The accessed data included names, home addresses, phone numbers, emails and dates of birth, but no financial, payment card or password data. Celebrities like Justin Bieber and goverment officials were said to be among the affected guests.
ZDNet has now revealed that as many as 142 million MGM hotel guests may have been affected in the breach. An ad was recently posted on a hacking forum, selling information of 142,479,937 MGM hotel guests for $2,939. The post mentions that the data comes from a breach in MGM Grand Hotels, but it does not appear to be part of the MGM hotel chain. The data was likely taken from MGM Grand. ZDNet was able to confirm that the data is legitimate and does contain customer information.
The hacker also mentions that the data for sale was taken from the July 2020 breach of DataViper, a data leak monitoring service. However, Vinny Troia, founder of the company managing DataViper, told ZDNet that the company did not have the full MGM database so the hacker could not have stolen it from DataViper.
According to reports, while MGM did not disclose much information about the incident and the number of affected customers, they are fully aware of the scope of the breach.