MGM Resorts data breach grows to potentially 142 million people, hacker claims

The MGM Grand hotel and casino in Las Vegas in a vintage photo.
(Image credit: GTS Productions/Shutterstock)

The 2019 data breach at luxury hotel chain MGM Resorts may have affected over 142 million guests rather than the previously stated 10.6 million. 

According to ZDNet, a hacker is looking to sell the personal data of 142,479,937 people who had stayed at an MGM Resort hotel over the past several years.

In an advertisement posted on a dark web hacker forum, the cybercrook is charging $2,939 for access to the compromised data. 

“MGM Resorts was hit by cybercriminals, first reported by ZDNet, who listed personal and contact details for 10.6 million hotel guests, including celebrities, employees and government officials,” reads the ad. 

“However, what was not reported was that MGM Grand Hotels was also breached, consisting of 142 million entries.”

The perpetrator claims to have gained access to the vast amount of data after hacking into the systems of Night Lion Security-owned threat-intelligence monitoring platform DataViper.

This week, it emerged that DataViper's systems had been targeted by hackers and saw 8,200 databases stolen. These presumably contained the personal information of billions of people affected by past data breaches.

What to do about the MGM Resorts data breach

The stolen data did not include credit card numbers or Social Security numbers, but did include full names, street addresses, email addresses, phone numbers and dates of birth. 

That's enough to give identity thieves a head start. If you stayed at an MGM Resorts property in the past several years, you might want to consider signing up with one of the best identity-theft-protection services.

MGM Resorts owns or operates several properties in Las Vegas, including the Aria, Bellagio, Delano, Excalibur, Luxor, Mandalay Bay, MGM Grand, Mirage, New York New York, Park MGM and Vdara hotels.

Outside of Las Vegas, the company runs or owns the MGM National Harbor resort in Maryland, the MGM Springfield in Massachusetts, the MGM Grand Detroit, the Borgata in Atlantic City, the Gold Strike Casino Resort in Mississippi and the Yonkers Raceway and Empire City Casino in New York.

Questions remain 

Vinny Troia, founder of Night Lion Security, denied that the MGM data had been stolen from his company. 

Speaking to ZDNet, Troia claimed that his firm had “never owned a copy of the full MGM database and that the hackers are merely trying to ruin his company's reputation”.

In a statement given to ZDNet, MGM Resorts said it “was aware of the scope of this previously reported incident from last summer” and claimed that it “has already addressed the situation.”

The data breach took place last summer, and hackers were able to gain access to a cloud server and subsequently steal the personal information of 10.6 million guests, including high-profile figures such as Justin Bieber and Twitter boss Jack Dorsey.

As a result of the breach, the hackers stole sensitive information such as names, home addresses, emails, phone numbers and birth dates. While the hacker in question claims to have access to the data of 142 million people, the number of people affected by the breach may actually surpass 200 million. 

  • More: Stay anonymous and safer online with the best VPN

Nicholas Fearn is a freelance technology journalist and copywriter from the Welsh valleys. His work has appeared in publications such as the FT, the Independent, the Daily Telegraph, The Next Web, T3, Android Central, Computer Weekly, and many others. He also happens to be a diehard Mariah Carey fan!