Skip to Content
© Ritu Jethani |
Security & privacy

140 million hotel guest records exposed – see if your data is for sale

Las Vegas is home to some of the world’s most spectacular hotels and attractions, and staying on the Strip can sometimes fetch a hefty price. So what happens when a data breach hits one of these luxury destinations and spills the personal details of its high-rolling guests?

Well, you have a disaster in the making, that’s what. Back in February, MGM Resorts announced it was the victim of a massive data leak that happened in the summer of 2019 which included guest names, addresses and other personally-identifying information. Tap or click here to see the extent of what was leaked.

But now, new evidence has emerged showing the data breach was much, much worse than initially thought. Instead of the roughly 10 million guests exposed as previously reported, the leak looks as if more than 100 million guests are now at risk. Here’s what we know, and what you can do if you stayed at an MGM resort.

MGM data breach gets worse and worse

According to an exclusive report by ZDNet, last year’s MGM Resorts data breach appears to have been much larger in scope than previously believed. The breach is now estimated to include more than 142 million guests, which is more than 10 times as many people now at risk for identity theft!

How do we know the amount has gone up? Evidence has emerged where most breached data ends up: dark web marketplaces. On a popular hacker forum, a user posted a listing for the hotel’s data alleging to contain the details of 142,479,937 guests. And to make matters worse, you can buy all this data for chump change with a listing price only a bit over $2,900!

The hacker who made the post also claims that they obtained the data by attacking DataViper, a leak monitoring service contracted by MGM Resorts. To its defense, DataViper’s parent company claims the amount of guest data is inaccurate, and that the hacker is attempting to defame his company.

Regardless of who is to blame, MGM has alerted guests who are at risk for the breach to take all necessary precautions to protect themselves. And keep in mind that MGM has a number of properties.

MGM-owned or operated properties in Las Vegas:

  • ARIA
  • Bellagio
  • Delano
  • Excalibur
  • Luxor
  • Mandalay Bay
  • MGM Grand
  • NoMad
  • The Mirage
  • New York-New York
  • Park MGM
  • Vdara at ARIA

MGM-owned or operated properties in other parts of the U.S.:

  • Maryland: MGM National Harbor
  • Massachusetts: MGM Springfield
  • Michigan: MGM Grand Detroit
  • Mississippi: Gold Strike Casino Resort (Tunica) and Beau Rivage Resort & Casino (Biloxi)
  • New Jersey: The Borgata (Atlantic City)
  • New York: Yonkers Raceway and Empire City Casino
  • Ohio: MGM Northfield Park

Thankfully, none of the leaked materials appear to involve payment information or financial data, with an MGM spokesperson commenting that the vast majority of data consisted of “contact information like names, postal addresses, and email addresses.”

Still, we might not even know the exact scope of the data just yet, either. According to security researchers speaking to ZDNet from intel firm KELA, users on Russian hacker forums have discussed the breach involving around 200 million guests. We’ll be updating this story should more information arise.

Another breach to worry about: LiveAuctioneers leak

MGM isn’t the only organization suffering from a significant breach recently, either. According to reports from BleepingComputer, the popular e-commerce platform LiveAuctioneers was involved in an online data listing totaling 3.4 million stolen user records.

Just like with MGM, the LiveAuctioneers data was posted to a dark web forum for other hackers to purchase. The data involved was mostly the same as with the MGM leak, but with two key differences: passwords and social media profiles were also involved.

If you used LiveAuctioneers within the past year, you may be at risk for compromise. This goes double if you share your passwords across multiple platforms. Tap or click here to see why this is such a bad idea.

What can I do to protect myself from these breaches?

There are a few steps you can take to check if your data was involved, as well as protect yourself if you’re part of a leak.

To double-check if your data was involved in this leak (or many others, for that matter), click here to visit HaveIBeenPwned. This website will let you enter your email address to check if your account has been included in any recent breaches.

If you’ve been affected by any data breach whatsoever, you should immediately change your email password. If you share that password with any other online accounts, hackers have a perfect opportunity to attack you across the web.

You may also want to set up two-factor authentication for all of your most frequently used accounts. Tap or click here to see how to set up 2FA.

In the end, it’s up to us to take our own security seriously, as well as frequently change our passwords. As data breaches become more commonplace, it’s wise to keep your eyes open and avoid slipping into a false sense of security. If you’re proactive, you’ll be doing more to defend your data than waiting for the next big breach.

Stop robocalls once and for all

Robocalls are not only annoying, but they scam Americans out of millions every year. Learn Kim's tricks for stopping them for good in this handy guide.

Get the eBook