MGM Resorts Hack 2023: Imagine calling your company’s IT help desk, pretending to be an employee, and using that 10-minute conversation to unlock access to an entire global hotel and casino empire. No sophisticated malware. No zero-day exploits. Just a phone call.
That is exactly what happened in September 2023. A group of young hackers — most believed to be in their early twenties — brought MGM Resorts International to its knees. As a result, the attack paralyzed Las Vegas hotel operations, shut down slot machines, and cost MGM over $100 million.
Related: Colonial Pipeline Attack — How a Single Password Started a National Emergency https://cyberlytech.tech/category/cyber-case-studies
MGM Resorts Hack 2023: Who Is MGM Resorts?
MGM Resorts International is one of the world’s largest hospitality companies. It operates 31 hotel and casino destinations globally. In Las Vegas, its properties include the Bellagio, MGM Grand, Mandalay Bay, and the Aria. The company generates over $14 billion in annual revenue and employs approximately 75,000 people.
Hotels and casinos are complex cybersecurity environments. They handle massive amounts of financial data and run interconnected systems — from slot machines to room locks to payment terminals. Continuous digital uptime is essential to their operations.
MGM Resorts Hack 2023: Who Are Scattered Spider?
The group behind the MGM Resorts hack 2023 is tracked under several names: Scattered Spider, UNC3944, and Octo Tempest. What makes this group remarkable is their profile — they are believed to be primarily English-speaking young adults, mostly from the U.S. and U.K., with some members reportedly as young as 19.
Scattered Spider specializes in one particularly powerful technique: social engineering. Specifically, they use vishing — voice phishing — to manipulate help desk staff into handing over access credentials. Before MGM, they had already successfully breached Twilio, LastPass, and dozens of other companies using the same method.
Learn More: https://cyberlytech.tech/solarwinds-supply-chain-attack-case-study/
MGM Resorts Hack 2023: Step-by-Step Timeline
Step 1 — Reconnaissance via LinkedIn
First, Scattered Spider gathered intelligence. Using LinkedIn and other open-source tools, they identified an MGM employee. They collected basic details — name, job title, department — all freely available on professional networking sites.
Step 2 — The MGM Hack 2023 Phone Call
Armed with the employee’s details, a hacker called MGM’s IT help desk. In approximately 10 minutes, they impersonated the employee and convinced the technician to reset account credentials and disable multi-factor authentication.
This technique exploits the natural tension in every IT help desk: staff are trained to help. When someone calls with the right information and a convincing story, the instinct is to assist them.
Step 3 — Network Infiltration
With valid credentials, Scattered Spider accessed MGM’s Okta identity management system. From there, they escalated privileges and gained access to MGM’s Microsoft Azure cloud environment. They then deployed ALPHV/BlackCat ransomware across MGM’s infrastructure.
September 10, 2023 — The MGM Hack 2023 Goes Public
When the ransomware activated, the disruption was immediate and visible across Las Vegas:
- Hotel guests could not use digital room keys and waited in long queues for physical cards.
- Slot machines across casino floors went dark and non-functional.
- Online reservations and check-in systems went offline.
- ATMs inside MGM properties stopped dispensing cash.
- The MGM Rewards loyalty app became completely inaccessible.
The operational disruption lasted approximately 10 days.
MGM Hack 2023 vs Caesars Palace: Two Different Responses
The MGM story became even more dramatic when reports revealed that Scattered Spider had also attacked Caesars Entertainment — MGM’s biggest competitor — just weeks earlier. They used the exact same social engineering method.
The key difference: Caesars quietly paid approximately $15 million in ransom (reduced from $30 million) and kept the breach mostly private. MGM chose not to pay — and experienced 10 days of very public chaos as a result.
Both responses carry trade-offs. Paying ransom funds criminal organizations. Not paying can mean prolonged disruption and data exposure. Furthermore, there is no guarantee that paying ransomware operators actually prevents data from being published.
MGM Hack 2023: The Financial Damage
MGM disclosed in its earnings filings that the 10-day disruption cost approximately $100 million in lost Las Vegas revenue alone. Additional costs included cybersecurity remediation, legal fees, and regulatory investigations.
Personal data of many customers was also stolen — including names, contact details, driver’s license numbers, and for some customers, Social Security numbers and passport information. This created substantial ongoing legal liability.
Related: WannaCry Ransomware Attack — How Hospitals Were Crippled Globally https://cyberlytech.tech/category/cyber-case-studies
MGM Hack 2023 Lessons: Why Social Engineering Is the Biggest Threat
1. Your Help Desk Is a Critical Attack Surface
IT help desks are designed to assist — which makes them vulnerable to manipulation. Organizations must implement strict identity verification for any request involving password resets, MFA disabling, or elevated access. A callback to a verified corporate number or manager approval workflow can prevent this.
2. Never Disable MFA Over the Phone
The single most damaging action in the MGM hack was convincing the help desk to disable MFA. Therefore, a strict policy should exist: MFA cannot be disabled over the phone under any circumstances. Period.
3. LinkedIn Is an Intelligence Source for Attackers
Professional networks give attackers detailed organizational charts, employee names, and roles. Consequently, security awareness training should include teaching staff about the information they share publicly and how attackers use it.
4. Test Your Help Desk With Simulated Attacks
Organizations should conduct regular vishing simulations — simulated social engineering calls against their own help desk. This is one of the most valuable security investments available.
How to Protect Against MGM-Style Social Engineering Attacks
- Implement strict callback verification procedures for all help desk access requests.
- Create a firm policy: MFA can never be disabled or bypassed by phone request alone.
- Run regular security awareness training with real social engineering simulations.
- Limit what personal information senior executives share on LinkedIn and social media.
- Use privileged access management (PAM) tools to control and audit elevated access requests.
- Deploy AI-powered identity security platforms that flag unusual access patterns.
The MGM Resorts hack 2023 delivered a hard message: you can spend millions on firewalls and endpoint protection, and a group of young adults can bypass all of it with a phone call. Technology cannot fully protect against human manipulation. Culture, training, and strict verification procedures are the only real defense.
Next: Deepfake $25M Fraud — AI-Generated Video Tricks Finance Worker https://cyberlytech.tech/category/cyber-case-studies