What just happened? What’s worse than a data breach? A data breach that impacted a lot more people than first reported. That’s the situation MGM Resorts finds itself in, after a 2019 hack that was initially said to have affected 10.6 million guests is now believed to have involved over 142 million people.

Back in February, it was reported that the personal details of more than 10.6 million people who stayed at MGM Resorts hotels had been published on a hacking forum. But it’s been discovered that the actual figure is much higher after an ad appeared on the dark web offering details of 142,479,937 MGM hotel guests for just over $2,900.

The info, which allegedly includes data on celebrities and government employees, consists of names, addresses, emails, phone numbers, and dates of births. MGM said that financial information, ID or Social Security numbers, and hotel stay details were not part of the breach. ZDNet contacted some of the past hotel guests to confirm the list’s accuracy.

The MGM details came from a data breach on the hotel last year, in which a hacker gained unauthorized access to a cloud server that contained information on previous guests. The chain said it has notified all those impacted, as required by state laws.

Image courtesy of ZDNet

The person who posted the ad claims the data actually comes from a recent attack on DataViper, a data leak monitoring service, but the company denies owning a copy of the full MGM database and says the hacker is trying to ruin the firm’s reputation.

MGM says it was always aware of how many guests had their data compromised during the breach but wasn’t legally required to reveal the number. “MGM Resorts was aware of the scope of this previously reported incident from last summer and has already addressed the situation,” said the company.

Amazingly, the actual number of affected guests could be even higher, with posts on Russian hacking forums claiming there are details of 200 million people on the list.

Image credit: Alizada Studios