A hacker is reportedly selling more than 142 million MGM hotel guest credentials on the dark web marketplace.
In 2019, a hacker reportedly stole 10.6 million hotel guest credentials from the MGM Resorts computer system. According to recent developments, the hack has a far bigger scope than originally estimated. Recently, a dark web ad is putting more than 142 million MGM customer credentials up for sale.
To be exact, the dark web ad is selling 142,479,937 MGM hotel guest credentials for around $2,900. The ad also states that the data are as recent as July. If this is true, then the original MGM hack is far bigger than originally perceived.
Breach of security
According to the ad, the stolen data was acquired through a system breach of DataViper. The website is known for monitoring data leaks and is operated by Night Lion Security.
Researchers have found 142 million personal details from former guests at the #MGMResorts hotels for sale on the #DarkWeb, evidence that a data leak from the hotel chain last summer may be far bigger in scope than previously thought. https://t.co/vcS5AzNkPb via @threatpost pic.twitter.com/8UIi8hqbNP
— Peter Tran (@ptrancyber) July 14, 2020
In a statement to ZDNet, Night Lion Security founder Vinny Troia denies owning a copy of the hacked MGM database. Mr. Troia added that the hacker simply wants to damage his company’s reputation.
There are rumors claiming that there could more than 142 million stolen credentials. Cybersecurity experts who followed the 2019 MGM hack said that there could be more. One expert said that there are ads claiming to sell more than 200 million MGM customer data on the dark web.
Response from MGM
According to MGM, the company has already notified customers affected by the data leak. The company added that they are aware of how widespread the attack is.
The original MGM hack took place in 2019. At that time, the hacker was able to penetrate the company’s cloud server and stole customer information. Initial investigation revealed that data from both current and past customers were stolen.
Although the hack took place in the summer of 2019, MGM did not report the incident to the public. Nevertheless, the company said that it had notified all affected customers since it is required by law.
In a statement to ZDNet, an MGM spokesperson said:
“MGM Resorts was aware of the scope of this previously reported incident from last summer and has already addressed the situation.”
The company added that most of the stolen data are contact information, including names and email addresses. Sensitive information like Social Security number and financial data were reportedly left untouched.
It is still unclear whether the hacker is working alone or have connections to other hacking groups. What is clear now is that the MGM Resort hack appears to be a massive breach of security.
Image courtesy of REDPIXEL.PL/Shutterstock