A database containing the personal information of over 142 million MGM Resorts guests is for sale online. The data is being sold on the dark web for $US2,900 ($4,162), and includes sensitive guest information like names, home addresses, phone numbers and more — though no financial information appears to be included.
It’s unclear if this information includes the same data about some 10.6 million guests exposed in a similar breach in 2019, or if it’s all new information. It’s also uncertain how the database was obtained in the first place. Posts on a Russian hacker site claim the info was stolen from Night Lion security’s DataViper — a service that indexes leaked data and suffered its own breach last year — but Night Lion founder Vinny Troia told ZDNet the company never had MGM Resort information in its database at all. Another possibility is this info too was obtained in the initial MGM cloud server breach last year.
Whatever the case, if you’ve been to an MGM hotel, you might be concerned about what this big data breach means for you.
Should you worry?
All data breaches should be taken seriously, but the data in these MGM Resorts leaks — while sensitive — doesn’t necessarily put you at risk if you have strong data security practices to begin with.
The good news is that it appears no financial information has been leaked, and since you don’t create a username or password to stay at a hotel, you don’t need to worry about people breaking into your other accounts with credential stuffing.
That said, the leak does include names, dates of birth, phone numbers, email addresses and physical addresses, but there are plenty of other places where that information is available — some of it publicly — if someone really wants to find it. That data alone isn’t enough to commit full-on identity theft, but can certainly aid someone’s attempt.
This is why it’s important to keep your passwords unique and devoid of any personal information. And, as always, limit how much of personal info you voluntarily add to your various accounts and social media profiles.
What guests should do
If you’ve stayed at an MGM Resort location or the MGM Grand hotel, you need to punch-up your general account security. Turn on two-factor authentication and the highest-security settings possible for all your accounts, update your passwords and use a password manager if anything in the data might help someone crack your accounts, and remove any personal info from accounts that don’t need it.
You should also keep an eye out for suspicious bank and other financial activity just in case, and immediately contact those institutions if you notice anything. These preventative measures will help you catch unauthorised login attempts and other activity early — whether your personal info is in that leaked MGM Resorts database or not.