The data of over 10.6 million individuals who were guests at MGM Resorts hotels has been left exposed on the dark web, potentially for hackers to abuse.
Leaked data includes guests’ names, addresses, phone numbers, emails, and birthdates. The exposed files – which were posted on a hacking forum – not only gave away the details of regular tourists, but also the information of visiting celebrities, CEOs, reporters, tech company employees, and even government officials.
Notable people whose data has been found among the exposed files include Twitter CEO Jack Dorsey and singer-songwriter Justin Bieber.
In total, the personal details of 10,683,188 former hotel guests was leaked.
ZDNet confirmed the authenticity of the leaked data, together with a security researcher from breach monitoring service Under the Breach. The news outlet reached out to past guests, who confirmed that they had stayed in one of MGM Resorts’ hotels in the past, and that the leaked data was indeed theirs.
MGM Resorts confirmed the incident in an email statement, adding that the leak stems from a security incident that occurred last year.
“Last summer, we discovered unauthorized access to a cloud server that contained a limited amount of information for certain previous guests of MGM Resorts,” the hotel chain told ZDNet in its email.
“We are confident that no financial, payment card or password data was involved in this matter.”
MGM Resorts added that it promptly notified all guests affected by the incident. The resorts company also said that it had retained the services of two cybersecurity forensics firms to investigate last year’s server exposure.
“At MGM Resorts, we take our responsibility to protect guest data very seriously, and we have strengthened and enhanced the security of our network to prevent this from happening again,” the company stated.
The company also gave assurances that the data leaked was old. ZDNet corroborated this claim, discovering in its own investigation that none of the affected former guests stayed at the hotel past 2017. In addition, some of the leaked phone numbers no longer worked, although many were still valid.