The personal information of 10.6 million guests who stayed at MGM Resorts hotels was stolen by hackers this summer and posted a hacking forum this week.

ZDNet revealed in exclusive that the personal details of more than 10.6 million users who stayed at MGM Resorts hotels have been published on a hacking forum this week.

The list of customers whose data were stolen includes celebrities, tech CEOs, reporters (i.e. Twitter CEO Jack Dorsey, Justin Bieber), government officials, and employees at some of the major tech companies.

The huge trove of data contains personal details for 10,683,188 former hotel guests, including full names, home addresses, phone numbers, emails, and dates of birth.

MGM Resorts Dump (source ZDNet)

ZDNet validated the authenticity of the data contacting past guests of the hotel, including international business travelers, reporters attending tech conferences and CEOs attending business meetings.

The incident was confirmed by a spokesman for MGM via email.

“Within an hour after we reached out to the company, we were in a conference call with the hotel chain’s security team. Within hours, the MGM Resorts team was able to verify the data and track it to a past security incident.” reported ZDNet.

“An MGM spokesperson told ZDNet the data that was shared online this week stems from a security incident that took place last year.”

“Last summer, we discovered unauthorized access to a cloud server that contained a limited amount of information for certain previous guests of MGM Resorts,” MGM told ZDNet.

The company excluded that hackers have stolen financial and payment card data or passwords.

“We are confident that no financial, payment card or password data was involved in this matter.”

The MGM Resorts chain confirmed it has already notified all impacted hotel guests in reported the incident to the authorities.

The company also investigated the extent of the incident with the help of two cybersecurity forensics firms.

“At MGM Resorts, we take our responsibility to protect guest data very seriously, and we have strengthened and enhanced the security of our network to prevent this from happening again,” the company said.

The availability of the dump in a hacking forum was first reported by the security firm Under the Breach.

According to MGM Resorts, the data was old, none of the customers in the archive stayed at the hotel past 2017.

In November 2018, the Marriot hotel chain announced that data from as many as 500 million guests at its Starwood hotels may have been compromised by a security breach occurred in 2014.

The Marriot incident is the biggest data breach for the hospitality industry.

Pierluigi Paganini

(SecurityAffairs – hacking, MGM resorts)