Leading sports betting company BetMGM disclosed a data breach after a threat actor stole personal information belonging to an undisclosed number of customers.
While the personal info stolen in the attack varies for each customer, the attackers obtained a wide range of data, including names, contact info (like postal addresses, email addresses, and phone numbers), dates of birth, hashed Social Security numbers, account identifiers (like player IDs and screen names) and info related to transactions with BetMGM.
The company added that it discovered the incident on November 2022 but believes the breach occurred in May 2022.
“BetMGM currently has no evidence that patron passwords or account funds were accessed in connection with this issue,” a press release issued on Wednesday says.
“BetMGM’s online operations were not compromised. BetMGM is coordinating with law enforcement and taking steps to further enhance its security.”
In breach notification letters sent on December 21, 2022, customers were advised to watch for “unsolicited communications” and “suspicious activity” related to their personal information.
A BetMGM spokesperson did not reply to an email sent by BleepingComputer today, asking for additional information on the number of affected customers.
Over 1.5 million BetMGM customers allegedly affected
While the betting firm is yet to disclose the number of customers that had their information stolen in the May breach, the likely attackers are already selling it online.
“We breached BetMGM’s casino database current as of Nov 2022,” says the threat actor named ‘betmgmhacked’ who put up the stolen information for sale on a hacking forum yesterday.
“The database is inclusive of every BetMGM casino customer (over 1.5M) as of November 2022 from MI, NJ, ON, PV, and WV. Any customer that has placed a casino wager included in this database.”
According to the threat actor’s post titled “BetMGM.com Casino Database Breach,” the database of stolen BetMGM customer information allegedly contains 1,569,310 user records.
It also claims to include data sets belonging to players from BetMGM casinos in New Jersey and Pennsylvania, as well as a “Master Casino” data set with information on customers from all states (all customer records include phone number, email, and address info, according to the threat actor).
New Jersey-based BetMGM is a sports betting operator founded in 2018 as a joint venture between American hospitality and entertainment firm MGM Resorts International and Entain plc, one of the largest sports betting and gaming companies worldwide.
BetMGM’s sports betting and online gaming brand portfolio includes BetMGM, Borgata Casino, Party Casino, and Party Poker.