Accounts inaccessible
Just a couple weeks after MGM Resorts International issued the “all systems normal” after a hacker group hijacked its computer systems, it appears that many BetMGM customers had their accounts unlawfully accessed. A portion of those people have found themselves unable to login to their accounts and others who could get in found their funds lower than they were before.
BetMGM customers reported problems early this week on social media platforms. Las Vegas Locally posted a screenshot from an MGM Rewards group that warned about hackers and read, in part, “My balance was wiped out in front of my eyes, the phone number was changed to the hackers’ number, and the money was sent to an unknown Visa card.”
The person added that MGM said it will not help them out.
Over on X, posters have tagged BetMGM, telling the company that their accounts are locked because of too many incorrect login attempts when they know they are entering the correct account credentials. Others haven’t necessarily been locked out, but simply cannot login because the system says they used the wrong login ID or password. Yet other customers have received password reset e-mail messages when they never attempted to reset their password.
BetMGM not particularly helpful
The tweets have expressed frustration, not just at the loss of funds or problems accessing their accounts, but also because they feel they have not received help from BetMGM.
One customer shared a text message exchange in which they said their account was accessed by someone else last week, only to find BetMGM Customer Care say that due to “an internal business decision your account will remain closed” and that the decision is “final and irrevocable.”
BetMGM has yet to make any sort of public statement about what was going on. It seems like things may have been solved or the hackers have stopped (maybe), as social media posts significantly slowed on Wednesday.
Trial and error
Gambling media outlets are speculating that this is what is called a “credential-stuffing attack,” which is a brute force attempt to try different username and password combinations on customer accounts using data stolen from other sites and companies. DraftKings customers lost $300,000 in a similar attack in November 2022. Accounts locked because of too many incorrect login attempts and accounts actually accessed and drained of money would certainly point to hackers simply repeatedly trying different login info.
While the timing is suspect, the account hacks on BetMGM accounts are not necessarily related to the MGM Resorts hack last month. They are two different companies – BetMGM is a joint venture between MGM and Entain – and the hack on MGM appeared to have systems hijacking and disruption as a goal, not customer data theft. It is possible, though, that the MGM hackers did grab customer information and if BetMGM customers used the same login info that they do with MGM Rewards, then their accounts could definitely have been vulnerable.