Hacker Puts Up 142 Million Records of MGM Hotel Guests for Sale

Last year, the MGM Resorts suffered one of the biggest data breaches , as it was reported in early February that hackers stole details of 10.6 million hotel guests. However, it seems the affected guests are much more than the initially reported number. A recent report has revealed that the hacking incident affected about 142 million guests of the hotel. It could even be bigger than that.

The new finding of the breach was revealed over the weekend when a hacker advertised the stolen data on the dark web . Based on the ad, the hackers are putting up the details of142, 479, 937 MGM hotel guests for only $2.900.

The hackers said they obtained the database after compromising NightLion’s owned DataViper, which monitors online data leak .

However, the founder of NightLion Security, Vinny Troia, said NightLion does not have any details about MGM’s data, and the hacker was only trying to tarnish his reputation because his company was getting close to knowing their identity.

In response to the leaked details offered on the dark web, MGM said the company is fully aware of the size of the hack and it has already informed the users who were affected.

The data breach took place last year as the hacker successfully accessed one of the hotel’s cloud servers and stole details about the hotel’s guest. Although MGM became aware of the breach, it didn’t reveal details about the breach or notified the public on the nature of the breach. However, to be in god terms with the data breach notification laws, it informed all affected guests.

The public became aware of the breach after a hacker offered data of about 10.6 million MGM guests as a free download on a darknet. At that time, the hotel released a statement acknowledging the breach, but its severity was still hidden. As a result of the data offered for free download, the public believed only the details offered for free download was the only stolen data. But the recent activity of the hacker is stating otherwise.

“MGM Resorts was aware of the scope of this previously reported incident from last summer and has already addressed the situation,” a spokesperson for MGM Resorts stated.

MGM owns popular hotel chains such as Mirage, Park MGM, Mandalay Bay, MGM Grand, Aria, Bellagio, Luxor, and Excalibur in Las Vegas.

The spokesperson also said the major details in the stolen data include email addresses, postal addresses, as well as the names of the guests. Reservation, financial information, social security numbers or ID numbers were not included in the breach.

Phones numbers and dates of births were also included. To confirm that the intrusion actually occurred in MGM, some of the affected quests were called via the phone numbers on the leaked data. It turned out that few of the contacted guests were reachable.

Although the 142 million data breach is far higher than the earlier reported 10.6 million, the stolen records could even be larger. There was no indication that the hacked data from MGM as the company has refused to release any statement and the hacker has not said there are no other MGM data in their possession.

Head of Research at KELA, Irina Nesterovsky, revealed that the MGM leaked data has always been online as has been circulating since July last year.  There are some posts from hackers on Russian-speaking hacking forums promoting the leaked data as being over 200 million hotel guests.