MGM Hotels & Resorts Data Hack: 142 Million Personal Data Sets Of MGM Customers Circulating On Telegram

There are some more worrisome news for MGM Hotels & Resorts and their customers as an extensive data set containing personal information of 142 Million hotel guests is now circulating on Telegram and freely accessible.

The data stems from a hack that MGM suffered in 2020 after which the 142 Million data sets were originally offered for sale at a price of $2900, this data is now downloadable for free (likely due to the age of the material).

No matter if it’s old or not, the data in most cases is still current as it contains the name, DOB, address, phone number, email, and MGM Rewards loyalty number of the customer.

I’ve seen the database firsthand and got several screenshots sent to me, including the data itself and it’s definitely not good to have this stuff circulating.

Hackread also reported this yesterday and the data has already spread across multiple channels:

On July 14th, 2020, Hackread.com reported that a hacker going by the online handle of NightLion stole several databases from the breach monitoring site DataViper. One of the databases belonged to MGM Resorts and contained the personal data of 142 million customers.

Although at that time NightLion was selling the data on now seized Rainforums and dark web marketplaces for $2,900, the latest reports reveal that the same database comprising 142 million records has been shared on Telegram for the public to download for free.

MGM Resorts International is an American chain of hotels and an entertainment firm. Its hotels are located in the United States and China. …

As for the MGM Resorts, according to VPNMentor researchers, who identified the data on 22 May 2022, four archives of files were discovered containing 8.7GB of data. Currently, researchers are unclear about the exact number of affected users, but rough estimates suggest this leak could impact around 30 million people.

VPNMentor researchers have confirmed that personally identifiable information/PII is part of the data leaked on Telegram. The information belongs to MGM Hotels customers spread across the globe and includes the following data:

• Full names
• Dates of birth
• Phone numbers
• Email addresses

According to the hacker who published the data on Telegram, there are 142,479,938 records in the leak dating back to 2017. This includes more than 24 million unique email IDs and over 30 million unique contact numbers. …

How does this look like?

This is how the four files appear for download:

I had a look at screenshots of the data that include myself and those sharing similar names. All very detailed although the contact information is outdated.

Personally I always use UPS mailbox addresses for my loyalty programs and even hotel reservations so I’m not too concerned about this, but considering this has all the information that MGM asks for when calling in with my Noir number it has some additional compromising potential vested in it.

MGM has never replied to any complaints made to them about this matter and hasn’t offered any compensation either.

Online searches reveal several current class-action lawsuits against MGM related to other data leaks that occurred in 2019 and affected roughly 200 million customers. So far nothing comes up when searching for the 2020 incident.

Conclusion

The personal data including address, date of birth, and phone number of 142 million customers which has been stored by MGM Hotels & Casinos has now found a new distribution source. It was first circulated on the Dark Web where it was offered for sale but now the data has found a way into various Telegram chat groups where it can be downloaded for free.

Four blocks of data are available to anyone who deems it interesting enough to download. Customers who find themselves in these logs (just like myself) should pay extra attention to the communication they’re receiving at their cellphone, email, and home address. It might very well be possible that fraudsters will develop a new scam with this data such as calling up people, pretending to be from MGM, and asking for their social security number (which MGM does NOT have on file). Be careful!