Share this analysis

MGM Resorts hack impact continues.

06 June 2022
BREACHAWARE HQ
MGM

A total of 8 breach events were found and analysed resulting in 25,350,997 exposed accounts containing a total of 15 different data types of personal datum . The breaches found publicly and freely available included MGM Resorts (2), Yop Mail, State of Fiscal Service of Ukraine, Gaming Now and BandhoB. Sign in to view the full library of breach events which includes, where available, reference articles relating to each breach.

Categories of Personal Data Discovered

Contact Data, Technical Data, Socia-Demographic Data, Social Relationships Data, Usage Data, Communications Data, Financial Data.

Data Breach Analysis

One of the most prominent organisations affected was MGM Resorts, which appears twice in the dataset, likely pointing to multiple distinct breaches or leak points. As a major international hospitality brand, MGM Resorts manages vast troves of customer data, spanning identities, reservation histories, and loyalty program information. Breaches tied to such a platform can compromise not only personal privacy but also financial security and even physical safety for high-profile guests or those using location-based services.

Equally concerning is the inclusion of the State Fiscal Service of Ukraine, a national government agency involved in tax administration. Any compromise of data from a government system may not only expose sensitive records of individuals and businesses but also present broader geopolitical and national security implications. Given the region’s ongoing digital warfare landscape, even publicly accessible datasets could be leveraged to undermine confidence, disrupt governance, or enable targeted phishing attacks.

The breach of YopMail, a disposable email service, might at first seem less critical. However, it serves as a key reminder of how secondary or workaround tools in the digital ecosystem can still become points of compromise. While YopMail users typically intend to shield their real identities, many reuse passwords or link disposable accounts with sensitive services, unintentionally extending risk vectors.

Also affected were Gaming Now and BandhoB, online platforms likely tied to gaming and social interaction respectively. The gaming sector has emerged as an increasingly popular target due to its large, often young user base, reliance on user-generated content, and significant volumes of in-app purchasing. These platforms tend to store interaction histories, IP logs, and personal identifiers, information that, when breached, could be used to impersonate users, harass individuals, or escalate into social engineering attacks across more critical services.

Taken together, the affected platforms spanned multiple regions and digital functions, from state institutions and international travel to niche entertainment communities. This diversity highlights the interconnected nature of modern data ecosystems, where an exposure in one seemingly isolated system can act as a stepping stone into broader compromise.

One pattern that emerges from this batch is the blend of high-profile and lesser-known platforms. While breaches at brands like MGM Resorts grab headlines, it is often smaller or more obscure sites, those lacking robust cybersecurity measures, that serve as silent risk multipliers. These sites may serve niche audiences but often rely on shared infrastructure, reused credentials, or integration with broader authentication systems (like Google or Facebook login), making them high-value weak links.

For individuals, the impact of being included in one of these breaches depends on multiple factors, such as the sensitivity of the compromised data, the uniqueness of login credentials, and the level of password reuse. However, the cumulative risk across multiple breaches can be far more damaging than any one incident alone. An exposed email on one platform and a matching password on another can allow attackers to “chain” breaches together, moving laterally through a person’s digital life.

From an organisational perspective, the reputational damage and regulatory scrutiny following a breach can be significant. For MGM Resorts and government entities, the implications extend beyond public trust into potential legal ramifications, including penalties under data protection regulations such as the GDPR or regional equivalents.

The inclusion of diverse types of institutions in this breach set, entertainment, governance, tech utilities, serves as a reminder that cyber risk is universal. Whether an entity stores high-value financial records or basic account metadata, the demand for breached data on dark web marketplaces ensures that all data has value to someone. Moreover, many of the platforms affected may not even be aware of how their data came to be exposed publicly, which raises additional concerns about third-party leaks, misconfigured databases, or insider threats.

Looking ahead, the priority for both individuals and organisations must be layered protection. For users, this includes enabling two-factor authentication, using password managers, and avoiding credential reuse. For organisations, especially those operating in high-risk sectors like travel, governance, or social media, the investment in data minimisation, encryption, breach detection, and third-party vetting is no longer optional, it’s foundational.

In conclusion, the 8 analysed breaches collectively affecting over 25 million accounts demonstrate that digital trust is easily eroded but difficult to restore. While some names in this list are instantly recognisable and others less so, the message is the same: no data is too small to be targeted, and no system too peripheral to be overlooked.

Spotlight

VPN companies continue to be targeted and data that has completed its commercial value to the cybercriminal is now publicly available. The data sets for VPN services are more sensitive and valuable such as email address, payment method, hashed passwords, and credit card numbers. The hacker got into the backup database and got all the data from there.

Another Indian-based data leak came from a tax report filling app. That may seem insignificant, but the number of sensitive datasets obtained because of the breach should not be underestimated. We’ve noted partial credit card information as well as hashed MD5 passwords, which is on the easier side to de-hash. More revealing and worrying for the end user is that the data included the admin login for the site.

The MGM Resorts hack impact continues with a new file circulating online containing a huge section of their customers' information. The file has over 24 million email addresses and is estimated to affect 30 million users. This is MGM Resort's second leak, previously there was an estimated 10.6 million users exposed to threat actors.

An interesting breach involved a disposable email address service. The objective of disposable email address is to avoid giving out your personal email address in order to protect it, whether for reasons of confidentiality or to avoid receiving spam.

Other industries impacted this week are tech, marketing, financial services, retail, hotel entertainment, gaming and Federal Government.

  • Key Stats
  • BREACH EVENTS
    0
  • EXPOSED ACCOUNTS
    0
  • EXPOSED DATUM TYPES
    0