The v that became known in February was apparently more serious than previously known. Instead of the originally reported 10.6 million guests, up to 142 million people could be affected. At least that suggests the offer of a hacker in a cybercrime marketplace in the Darknet.
At least this number is given by the hacker NightLion. However, the data should not come directly from the attack from the MGM hotels, but should have been captured in July when DataViper broke in. The US security company offers services for monitoring leaked data.
However, the company’s founder told ZDNet USA that his company had never owned a full copy of the MGM database. Apparently it was an attempt by hackers to damage DataViper’s reputation.
When asked by ZDNet USA, MGM Resorts did not want to confirm the figure of 142 million data mentioned in the hacker’s offer. The company only said that it knew the extent of the data theft. The data were mainly contact information, names, postal addresses and email addresses. Neither financial data nor social security numbers or details about hotel bookings were compromised.
The attack itself took place in summer 2019. A hacker managed to crack the hotel chain’s cloud server. MGM Resorts noted the slump last year, but did not make the data loss public. Affected guests informed about the incident.
The data loss only came to light in February 2020. At that time, data from 10.6 million MGM hotel guests was offered free of charge in a hacker forum. At the time, MGM admitted the break-in without commenting on its scope.
The security company Kela even assumes that the attack has killed over 142 million people. MGM Resorts data has been circulating in hacker circles since July 2019. Since then, entries in Russian hacker forums have spoken of a database with details of more than 200 million hotel guests.