Millions of people's info stolen from MGM Resorts dumped on Telegram for free

Meanwhile, Twitter coughs up $150m after using account security contact details for advertising


Miscreants have dumped on Telegram more than 142 million customer records stolen from MGM Resorts, exposing names, postal and email addresses, phone numbers, and dates of birth for any would-be identity thief.

The vpnMentor research team stumbled upon the files, which totaled 8.7 GB of data, on the messaging platform earlier this week, and noted that they "assume at least 30 million people had some of their data leaked." MGM Resorts, a hotel and casino chain, did not respond to The Register's request for comment.

The researchers reckon this information is linked to the theft of millions of guest records, which included the details of Twitter's Jack Dorsey and pop star Justin Bieber, from MGM Resorts in 2019 that was subsequently distributed via underground forums.

But while crooks initially sold those 142 million records on a dark-web marketplace for about $3,000 as a packaged deal, this time the data is freely available on Telegram, which vpnMentor rightly describes as "much more accessible for even the least tech-savvy people." 

Perhaps the recent takedown of stolen-data market RaidForums and the Hydra dark-web souk has something to do with this? Or that the info is no longer worth selling, or no one's interested in buying it, perhaps.

According to the VPN services company, the data dumped on Telegram includes the following customer information from before 2017:

  • Full names
  • Postal addresses
  • Over 24 million unique email addresses
  • Over 30 million unique phone numbers 
  • Dates of birth

In other words: everything an identity theft would need to get started. No unencrypted payment details, we note, but still not great.

As the researchers noted: "Bad actors could send phishing messages and scams to exposed users via SMS and email, using the victims' full names and home or business addresses to build trust."

Since that MGM Resorts security breach is two-plus-years-old, the customers' whose data has been exposed (again) may not expect to be targeted, the cyberexperts explained. Additionally, miscreants may "target elderly people (thanks to the detail regarding the date of birth) and try to scam them as an easier target," vpnMentor warned.  

The hotel guests' data leak comes as automaker General Motors this week confirmed the credential-stuffing attack it suffered last month exposed customers' names, personal email addresses, and destination data, as well as usernames and phone numbers for family members tied to customer accounts.

And once again, identity theft made the top-five list for the most reported cyberscams, according to the FBI's annual Internet Crime Report.

The report with 2021's statistics, which was published earlier this month, recorded 51,629 identity-theft complaints last year, compared to 43,330 in 2020 — that's a 19 percent increase. These crimes cost businesses and individuals more than $278 million in losses last year, according to the bureau. ®

Speaking of violated privacy... Twitter has settled with America's FTC and Dept of Justice, and agreed to cough up $150 million, for allegedly breaking consumer-protection law by "misrepresenting how it would make use of users’ nonpublic contact information."

Specifically, between 2013 and 2019, Twitter asked for users' email addresses and phone numbers to secure their accounts and didn't tell anyone it was using that information for targeted advertising, prosecutors said on Wednesday. That drew the ire of the FTC and the DoJ, leading to a lawsuit and today's proposed settlement.


Other stories you might like

  • Cisco warns of security holes in its security appliances
    Bugs potentially useful for rogue insiders, admin account hijackers

    Cisco has alerted customers to another four vulnerabilities in its products, including a high-severity flaw in its email and web security appliances. 

    The networking giant has issued a patch for that bug, tracked as CVE-2022-20664. The flaw is present in the web management interface of Cisco's Secure Email and Web Manager and Email Security Appliance in both the virtual and hardware appliances. Some earlier versions of both products, we note, have reached end of life, and so the manufacturer won't release fixes; it instead told customers to migrate to a newer version and dump the old.

    This bug received a 7.7 out of 10 CVSS severity score, and Cisco noted that its security team is not aware of any in-the-wild exploitation, so far. That said, given the speed of reverse engineering, that day is likely to come. 

    Continue reading
  • Info on 1.5m people stolen from US bank in cyberattack
    Time to rethink that cybersecurity strategy?

    A US bank has said at least the names and social security numbers of more than 1.5 million of its customers were stolen from its computers in December.

    In a statement to the office of Maine's Attorney General this month, Flagstar Bank said it was compromised between December and April 2021. The organization's sysadmins, however, said they hadn't fully figured out whose data had been stolen, and what had been taken, until now. On June 2, they concluded criminals "accessed and/or acquired" files containing personal information on 1,547,169 people.

    "Flagstar experienced a cyber incident that involved unauthorized access to our network," the bank said in a statement emailed to The Register.

    Continue reading
  • Halfords suffers a puncture in the customer details department
    I like driving in my car, hope my data's not gone far

    UK automobile service and parts seller Halfords has shared the details of its customers a little too freely, according to the findings of a security researcher.

    Like many, cyber security consultant Chris Hatton used Halfords to keep his car in tip-top condition, from tires through to the annual safety checks required for many UK cars.

    In January, Hatton replaced a tire on his car using a service from Halfords. It's a simple enough process – pick a tire online, select a date, then wait. A helpful confirmation email arrived with a link for order tracking. A curious soul, Hatton looked at what was happening behind the scenes when clicking the link and "noticed some API calls that seemed ripe for an IDOR" [Insecure Direct Object Reference].

    Continue reading

Biting the hand that feeds IT © 1998–2022