author photo
By Bruce Sussman
Thu | Feb 20, 2020 | 9:38 AM PST

Hackers are making a splash in the cyber underworld by trying to sell  information from a data breach that involves more than 10 million customers who stayed at MGM Resorts.

MGM Resorts properties in Las Vegas include Bellagio, Aria, MGM Grand, Mandalay Bay, Park MGM, Mirage, New York New York, Luxor, and Excalibur.

You can imagine the list is loaded with high rollers. And according to ZDNet, it includes some information on tech and Hollywood A-listers.

"Twitter CEO Jack Dorsey, pop star Justin Bieber, and DHS and TSA officials are some of the big names Under the Breach spotted in the leaked files."

And the publication says it received confirmation from MGM Resorts that this is linked to a 2019 data breach:

"Last summer, we discovered unauthorized access to a cloud server that contained a limited amount of information for certain previous guests." 

This "limited" information included full names, home addresses, phone numbers, emails, and dates of birth. MGM told ZDNet it had previously notified customers of the breach.

What can hackers do with information from MGM data breach?

For most of us, the question after a data breach is this: Should I be worried about this? Does it even make a difference?

New research from Harvard University shows why information from a breach like this is for sale: it is valuable for targeted cyberattacks in the future. 

In Harvard's case, it was two students who recently followed a valuable rabbit trail of hacked data. The data was posted on the Dark Wweb, just like the MGM customer data is right now.

"Most of us just think we're average individuals—why would a hacker want to target me or you if we're not especially powerful or prominent?"

Using the anonymizing Tor software, the pair managed to find a number of forums on the Dark Web where hackers share data leaks.

They found a dataset from the 2015 Experian breach with information on over six million individuals.

They decided to pursue a subset of this information, so they focused on data that the forum said was related to the Washington D.C. area.

Based on that search, they located more than 40,000 unique email addresses.

Next, they used one of the Dark Web's many archiving sites, where you can plug in an email address and discover all the data leaks in which that email appears.

That information led them to credentials, passwords, and usernames.

Once they rejoined this information with the Experian dataset, they connected each online presence to a real-world identity.

"What we were able to do is alarming because we can now find vulnerabilities in people's online presence very quickly," researcher Dasha Metropolitansky said. "We also showed that a cyber criminal doesn't have to have a specific victim in mind. They can now search for victims who meet a certain set of criteria."

[For more, read: What Can Happen if Your Data Is Stolen or  Leaked?]

Which hacking group stole the MGM Resorts data?

ZDNet says there are indications that the Gnostic Players hacking group may be behind this data breach and the attempt to sell it.

In a recent podcast interview, we spoke to security researcher Vinny Troia about this group because he often communicates with them:

"Gnostic Players are fairly new," Troia says. "They came into existence, or they at least announced themselves, in the beginning of 2019. Now, they've easily got 100 different sites under their belt, like My Fitness Pal, My Heritage, the Armor Games data breach, and many more."

The Armor Games data breach also happened in 2019 and was a similar size to the MGM Resorts breach. 

Vinny Troia will keynote SecureWorld Boston, happening March 25-26, 2020. It will be a fascinating talk on his work to help dismantle The Dark Overlord, which is another well-known hacking group.

We're not sure how hackers acquired the MGM Resorts data, only that they accessed a database in the cloud.

Matt Walmsley of cybersecurity firm Vectra says it's another reminder for business:

"As organizations increasingly use the cloud to underpin digital transformation, it is critical that security operations teams have the ability to pervasively detect and respond to attacks and unauthorized access wherever they happen.

Attackers don't operate in silos of local, mobile, network, data centers, or cloud—neither should our security capabilities."

Tags: Data Breach,