MGM Resorts hack exposes details of 10.6 million guests

February 20, 2020, 5:58 PM UTC
Denise Truscello—Getty Images for MGM Resorts

One of Las Vegas’s biggest hotel chains has been hacked, exposing the personal data of millions of individuals.

MGM Resorts was hit by cybercriminals, first reported by ZDNet, who lifted personal and contact details for 10.6 million hotel guests, including celebrities, employees and government officials. Among the information taken was full names, home addresses, phone numbers, emails and dates of birth.

Financial information does not appear to have been stolen in the attack.

MGM Resorts has more than 20 hotels worldwide, but its biggest concentration is in Vegas, where it owns 13, including the Bellagio, Mandalay Bay, Aria, Vdara and the Mirage.

While sizable, the breach pales in comparison to the 2018 breach of Marriott, which exposed data of up to 500 million guests.

The information was posted to a hacking forum Monday. It’s unclear which hotels were affected by the attack though one news outlet who scanned the names noticed that information about Stephen Paddock, the man who opened fire from the Mandalay Bay Resort on Oct. 1, 2017, killing 58 people, was included in the data dump.

MGM, in a statement to Fortune, said it discovered unauthorized access to a cloud server last summer.

“Last summer, we discovered unauthorized access to a cloud server that contained a limited amount of information for certain previous guests of MGM Resorts,” the company said. “We are confident that no financial, payment card or password data was involved in this matter.  … At MGM Resorts, we take our responsibility to protect guest data very seriously, and we have strengthened and enhanced the security of our network to prevent this from happening again.”
MGM Resorts says it notified impacted guests “in accordance with applicable state laws,” but many states do not require victims to be notified when the hacked information is limited to data such as address, phone number, etc. So many people who were affected by the hack might have no idea they were included.

Worried you’re a possible victim of the MGM Resorts hack? Here are a few precautionary steps to take:

Monitor your financial accounts

Even though MGM says financial records weren’t accessed, it’s best to be safe. Check your accounts for fraudulent activity. Most Americans don’t keep close tabs on their checking and saving balance and don’t examine every item on their credit card bill – and hackers count on that.

Set up credit monitoring

Identity theft is the big threat here and you want to be sure no one is using your personal information. It’s also not a bad idea to sign up for a credit monitoring service, such as Equifax’s TrustedID Premier (though Equifax had a notable data breach of its own in 2017) or CreditKarma.

If you’re especially worried, consider a credit freeze, which prevents new credit from being issued without your direct permission.

“Your best protection against someone opening new credit accounts in your name is the security freeze (also known as the credit freeze), not the often-offered, under-achieving credit monitoring,” notes the U.S. Public Interest Research Group.

Change your passwords—again

Yes, it’s a pain, but it’s a critical step, especially if you’re using the same password on multiple sites.

More must-read stories from Fortune:

—How Apple defied the odds to post the biggest quarterly profit ever
—Oracle and Google are about to face off in tech’s trial of the century
—Can San Francisco be saved?
—Did the ‘techlash’ kill Alphabet’s city of the future?
—Predicting the biggest tech headlines of 2020

Catch up with Data Sheet, Fortune’s daily digest on the business of tech.