Millions more MGM Resorts guests were compromised than first thought, in a data breach (opens in new tab) that took place in the summer of 2019 and came to light earlier this year.
In February, TechRadar Pro reported that the details of 10.6 million customers had been acquired (opens in new tab) by hackers. However, the actual figure was revealed to be magnitudes greater, after the personal records of roughly 142.5 million guests were put up for sale on an underground marketplace.
Available for $2,900 worth of either Bitcoin (opens in new tab) or Monero (opens in new tab), the database is said to contain personally identifiable information such as names, postal and email addresses, phone number and dates of birth, but no financial information.
- We've built a list of the best malware removal (opens in new tab) services around
- Check out our list of the best identity theft protection (opens in new tab) solutions out there
- Here's our choice of the best ransomware protection (opens in new tab) on the market
MGM data breach
The MGM breach came about as a result of a security vulnerability in one of the hotel chain’s cloud servers, which allowed hackers to siphon information about previous guests, including Twitter CEO Jack Dorsey and pop star Justin Bieber.
After uncovering the incident, MGM alerted the affected customers as per applicable data protection regulations, but did not publish any information about the breach.
The attack first came to light after the details of 10.6 million customers were posted to an online hacking forum - a data set that now appears to account for only a small proportion of the total number of guests affected.
The hacker responsible for the newly listed database, containing millions of additional records, claims to have scraped the data during a recent attack on data leak monitoring service DataViper.
However, the founder of DataViper parent company Night Lion Security has disputed the assertion, which he referred to as an attempt to tarnish the reputation of his business.
MGM claims to have always been aware of the total number of guests compromised, which the firm was not legally obliged to disclose.
“MGM Resorts was aware of the scope of this previously reported incident from last summer and has already addressed the situation,” said the company.
It could later emerge, however, that the breach is even larger than the 142.5 million figure that came to light today, with a post to one Russian hacking forum boasting of a database stocked with information on upwards of 200 million MGM customers.
- Check out our list of the best antivirus services (opens in new tab) available
Via ZDNet (opens in new tab)