Skip to main content

Digital Trends may earn a commission when you buy through links on our site. Why trust us?

Hackers expose personal details of 10 million MGM hotel guests

A major security breach has hit MGM Resorts hotels after the personal details of 10.6 million guests were posted on a hacking forum this week.

Recommended Videos

The stolen data belongs not only to regular tourists but also to celebrities, tech CEOs, and government officials — among them Twitter CEO Jack Dorsey and Canadian singer Justin Bieber.

Please enable Javascript to view this content

The hack, which has been confirmed by MGM Resorts, was first reported by ZDNet following a tip-off from Under the Breach, a soon-to-launch data breach monitoring service.

Leaked files contain the personal details of 10,683,188 former hotel guests, including full names, home addresses, phone numbers, emails, and dates of birth. In an emailed statement to Digital Trends, a spokesperson for MGM Resorts said its team is “confident that no financial, payment card or password data was involved in this matter.”

The company said that it discovered the breach in the summer of 2019. While it has apparently made no public statement about the incident until now, it said that at the time, it contacted guests who may have been affected. It also hired two leading cybersecurity forensics firms to assist with an internal investigation into the incident.

ZDNet said that its own research suggests that none of the data corresponds with guests who made their first booking at an MGM Resorts hotel after 2017.

MGM Resorts isn’t the first hotel group to be targeted by hackers, with Mandarin Oriental and Trump Hotels among others to be hit in recent years. The biggest hotel-related breach, however, affected hundreds of millions of Marriott guests after cybercriminals stole their personal information over a period of several years before the hack was spotted in 2018.

Cybercriminals who succeed in stealing personal data may attempt to sell it via illicit hacking forums, with buyers hoping to use financial data for online shopping sprees or to withdraw money from bank accounts. MGM Resorts said customers’ payment data is safe, but the stolen information in this case could leave victims vulnerable to phishing attacks, SIM swap fraud, and other scams.

MGM Resorts told Digital Trends it takes its responsibility to protect guest data “very seriously,” adding that it has “strengthened and enhanced the security of our network to prevent this from happening again.”

Trevor Mogg
Contributing Editor
Not so many moons ago, Trevor moved from one tea-loving island nation that drives on the left (Britain) to another (Japan)…
Virgin Media breach disclosed details about adult content and gambling habits
Stock photo of lock and data

British telecom provider Virgin Media experienced a data breach that allowed unauthorized access to highly personal information about hundreds of customers.

"We recently became aware that one of our marketing databases was incorrectly configured which allowed unauthorized access," Lutz Schüler, CEO of Virgin Media said in a statement. "We immediately solved the issue by shutting down access to this database, which contained some contact details of approximately 900,000 people, including fixed-line customers representing approximately 15% of that customer base. Protecting our customers’ data is a top priority and we sincerely apologize."

Read more
Wawa data breach: Hacker is selling 30 million credit cards on the dark web
wallet with cash and cards

Credit card data from a security breach that affected an East Coast convenience store chain last year was discovered being sold in the corners of the dark web this week. The amount of data stolen makes it the third-largest credit card breach in history.

Wawa convenience stores announced the attempts to sell the data in a news release on January 28. According to the Gemini Advisory Board, a company that identifies cyberthreats, the credit card information was found on the website called Joker’s Stash marketplace and exposed customer data from 30 million cards. 

Read more
The massive LastPass hack from 2022 is still haunting us
LastPass website on a laptop.

Just when you thought the LastPass breach of 2022 was over, we're still learning just how detrimental the hack was. According to blockchain expert ZachXBT and spotted by The Block, $5.36 million was stolen from 40 users in a string of attacks. This is on top of the $4.4 million stolen in October 2023 and $6.2 million earlier this year in February 2024.

The original hack goes back to 2022 when hackers claimed to have accessed LastPass' data, which contained API tokens, customer keys, multifactor authentication seeds (MFA), and encrypted password vaults. Although no official information explains how the breach happened, it's possible that the hacker responsible gained access to information that aided the breach. Hackers forced their way in despite the password vaults being encrypted because users reused weak or previously leaked combinations. This access, combined with the users' weak or reused passwords, led to the various accounts being compromised.

Read more