The MGM Resorts Breach, 2023
01
Recon
LinkedIn & Social Profiling
Attackers profiled an MGM IT staffer by scraping LinkedIn and other social media — his role, his colleagues, even his speaking style.
02
Arm & Deliver
The 10-Minute Phone Call
They called the IT help desk impersonating the employee and convinced the agent to reset his credentials — no malware needed.
03
Initial Compromise
Okta Tenant Takeover
With the reset credential, they signed into MGM's Okta tenant, dropped a session cookie, and pivoted into on-prem Active Directory for a durable foothold.
04
Privilege Escalation
Secondary Identity Provider
They added a second, attacker-controlled identity provider to MGM's federation, minting their own admin tokens at will.
05
Exfiltrate
Ransomware & $100M in Losses
BlackCat ransomware was deployed across thousands of ESXi hosts; slot machines, room keys, and reservations went dark for 10 days.
$100M+
Total Losses
10 min
Phone Call Duration
10 days
Systems Offline