Skip links

Millions of people’s info stolen from MGM Resorts dumped on Telegram for free

Miscreants have dumped on Telegram more than 142 million customer records stolen from MGM Resorts, exposing names, postal and email addresses, phone numbers, and dates of birth for any would-be identity thief.

The vpnMentor research team stumbled upon the files, which totaled 8.7 GB of data, on the messaging platform earlier this week, and noted that they “assume at least 30 million people had some of their data leaked.” MGM Resorts, a hotel and casino chain, did not respond to The Register‘s request for comment.

The researchers reckon this information is linked to the theft of millions of guest records, which included the details of Twitter’s Jack Dorsey and pop star Justin Bieber, from MGM Resorts in 2019 that was subsequently distributed via underground forums.

But while crooks initially sold those 142 million records on a dark-web marketplace for about $3,000 as a packaged deal, this time the data is freely available on Telegram, which vpnMentor rightly describes as “much more accessible for even the least tech-savvy people.” 

Perhaps the recent takedown of stolen-data market RaidForums and the Hydra dark-web souk has something to do with this? Or that the info is no longer worth selling, or no one’s interested in buying it, perhaps.

According to the VPN services company, the data dumped on Telegram includes the following customer information from before 2017:

  • Full names
  • Postal addresses
  • Over 24 million unique email addresses
  • Over 30 million unique phone numbers 
  • Dates of birth

In other words: everything an identity theft would need to get started. No unencrypted payment details, we note, but still not great.

As the researchers noted: “Bad actors could send phishing messages and scams to exposed users via SMS and email, using the victims’ full names and home or business addresses to build trust.”

Since that MGM Resorts security breach is two-plus-years-old, the customers’ whose data has been exposed (again) may not expect to be targeted, the cyberexperts explained. Additionally, miscreants may “target elderly people (thanks to the detail regarding the date of birth) and try to scam them as an easier target,” vpnMentor warned.  

The hotel guests’ data leak comes as automaker General Motors this week confirmed the credential-stuffing attack it suffered last month exposed customers’ names, personal email addresses, and destination data, as well as usernames and phone numbers for family members tied to customer accounts.

And once again, identity theft made the top-five list for the most reported cyberscams, according to the FBI’s annual Internet Crime Report.

The report with 2021’s statistics, which was published earlier this month, recorded 51,629 identity-theft complaints last year, compared to 43,330 in 2020 — that’s a 19 percent increase. These crimes cost businesses and individuals more than $278 million in losses last year, according to the bureau. ®

Speaking of violated privacy… Twitter has settled with America’s FTC and Dept of Justice, and agreed to cough up $150 million, for allegedly breaking consumer-protection law by “misrepresenting how it would make use of users’ nonpublic contact information.”

Specifically, between 2013 and 2019, Twitter asked for users’ email addresses and phone numbers to secure their accounts and didn’t tell anyone it was using that information for targeted advertising, prosecutors said on Wednesday. That drew the ire of the FTC and the DoJ, leading to a lawsuit and today’s proposed settlement.