Personal details of up to 10.6 million people, including Justin Bieber and Twitter head Jack Dorsey, who stayed at an MGM Resorts hotel in the past several years have been posted in an online hacking forum, the hotel chain confirmed.
The compromised information includes 10,683,188 guest records containing full names, street addresses, email addresses, phone numbers and dates of birth, although it seems not all the records held data in each category.
- Best identity theft protection: Keep your digital data safe
- What to do after a data breach
- Plus: Microsoft Edge users blindsided by Google security promo
It's not clear if that number represents the total number of affected individuals, or if repeat guests are counted more than once.
The stolen data did not include credit-card numbers or passwords, but there's still more than enough information there to give identity thieves and SIM swappers a solid head start. (Dorsey may have been the victim of a SIM-swapping attack last August.)
What to do if you think you were part of the MGM breach
The HaveIBeenPwned (opens in new tab) website has already added the 3.1 million email addresses involved, so you can head there to see if your email address was part of the stash.
It's not clear when the data was stolen, but ZDNet (opens in new tab), which was tipped off about the posting of the data on the hacking forum and then analyzed the data with the help of security firm Under the Breach, has concluded that none of the data was collected after 2017.
ZDNet was able to confirm the validity of several records by contacting the individuals named via the phone numbers and email addresses listed in the data.
If you stayed at an MGM Resorts hotel in the few years up to and including 2017, the best thing to do would be to diligently get a free credit report every four months using AnnualCreditReport.com (opens in new tab).
You should also contact your cellular carrier to ask if you can add a PIN lock to your account so that your number can't be ported to another phone without the PIN.
If you're really worried, consider an identity-protection service such as IdentityForce, LifeLock or IDShield, which will monitor the "dark web" for mention of your name and keep an eye on your credit reports and individual accounts.
Oh yeah, we've known for ages. Sorry
MGM Resorts confirmed the theft of the data when ZDNet inquired yesterday (Feb. 19). The company admitted it had learned about the breach last summer, but told ZDNet it had informed affected individuals according to the extent mandated by local laws.
"Last summer, we discovered unauthorized access to a cloud server that contained a limited amount of information for certain previous guests of MGM Resorts," MGM said to ZDNet. "We are confident that no financial, payment card or password data was involved in this matter."
It's not clear why the general public is learning of this only now. Many states require mandatory disclosure of data breaches to their residents, although the types of data that triggers notifications differs from state to state.
Still, it's hard to imagine how the nature of this breach and the stolen data would have escaped wider scrutiny, given the number of people involved.
Likewise, MGM Resorts gave no indication that it would be compensating affected individuals with free credit monitoring, as most companies do after a data breach.
Tech industry may be especially affected
MGM Resorts hotels include many big-name Vegas establishments, including the MGM Grand, Aria, Bellagio, Excalibur, Luxor, Mandalay Bay, New York New York, Park hotels and Vdara hotels, which host thousands of technology professionals every year for annual conferences like CES and Black Hat.
The company also runs the MGM National Harbor resort near Washington, D.C., the MGM Springfield casino and resort in Massachusetts, the MGM Grand Detroit, the Borgata in Atlantic City and the Gold Strike Casino Resort in Tunica, Mississippi, near Memphis.