MGM data breach exposed personal details of 10.6 million hotel guests

They were posted on a hacking forum, 'ZDNet' has confirmed.

If you've stayed at an MGM Resorts hotel, you may be among victims of the latest massive data breach. The personal details of more than 10.6 million hotel guests were recently posted on a hacking forum, and ZDNet has confirmed the data's authenticity. ZDNet said the data dump contains affected guests' full names, home addresses, phone numbers, emails and dates of birth. Names and information in the breach include tech CEOs, celebrities, government officials and reporters.

In a statement, MGM Resorts said it already notified affected customers about the breach last year, and that it commissioned two cybersecurity forensics firms to investigate the incident. While guests who only stayed at the resort more recently may not have had their information included, it's unclear which years were covered.

Upon being notified about the breach, the MGM Resorts team told the publication that the company was able to trace the leaked data back to a security breach that took place last year. MGM said that last summer, it discovered an unauthorized entry to a cloud server that housed some information for "certain previous guests" to its hotels.

The spokesperson emphasized that the company is confident "no financial, payment card or password data was involved in this matter." And it seems to be much smaller in scale compared to the Marriott security breach, which exposed 500 million guests' details, including 5 million unencrypted passport numbers. Nevertheless, as breach monitoring service Under the Breach told ZDNet, the leaked information is enough to make affected guests a target of spearphishing attacks and SIM-swapping schemes. Details from the breach have been added to the Have I Been Pwned database, and you can register there for a notification of whether your email address is among those included.