In September 2023, slot machines across the Las Vegas Strip went dark, hotel keycards stopped opening doors, and one of the world’s biggest casino companies was reduced to checking guests in with pen and paper. The cause wasn’t a zero-day exploit or a nation-state cyberweapon.

It was a phone call. By most accounts, it took about ten minutes.

Key Takeaways

  • The way in: attackers impersonated an MGM employee found on LinkedIn and talked the IT help desk into a password reset. No malware was needed to gain the foothold.
  • The damage: roughly $100 million in lost earnings and recovery costs, disclosed by MGM for Q3 2023, plus about 10 days of casino and hotel disruption.
  • The ransom answer: MGM refused to pay; Caesars, hit weeks earlier by the same crews, reportedly paid around $15 million and avoided public chaos.
  • Who did it: Scattered Spider, a network of mostly young English-speaking social engineers, working with the ALPHV/BlackCat ransomware operation.
  • The aftermath: MGM later agreed to a settlement of about $45 million over the customer data exposed, and several alleged Scattered Spider members were arrested across the US, UK and Spain.

How Did Hackers Get Into MGM?

The hackers got into MGM by phoning its IT help desk, impersonating a real employee whose details they’d found on LinkedIn, and requesting a password reset, a social-engineering technique called vishing. No firewall was breached; a person was.

The attackers, tracked by researchers as Scattered Spider, didn’t start with MGM’s technology at all. They started with LinkedIn, where they found what every company helpfully publishes: names, job titles, and enough personal texture to impersonate someone convincingly.

Then they phoned MGM’s IT help desk pretending to be that employee, locked out and needing a reset. The help desk did what help desks are built to do: it helped. With those recovered credentials, the intruders reached MGM’s Okta identity platform, the system that decides who is allowed into everything else, and from there the takeover cascaded.

There’s a name for this technique: vishing (voice phishing). There’s also an older name: a con. What’s genuinely new is the target selection: identity systems and outsourced help desks are now the soft underbelly of companies that spend fortunes hardening everything else. We saw the same pattern in the Coinbase breach, where the way in was simply bribing outsourced support staff, and in the hospital spyware case, where the attacker just walked in.

Who Are Scattered Spider?

Scattered Spider is a loose network of predominantly young, English-speaking hackers, many of them teenagers and early-twenty-somethings from the US and UK, who specialize in social engineering rather than exotic malware. They emerged from online communities where SIM-swapping and account-takeover techniques were traded like game cheats, and researchers track them under names including UNC3944 and Octo Tempest.

Their native English is the actual weapon. Traditional phishing defenses assume broken grammar and clumsy pretexts; a confident young caller who sounds exactly like a stressed colleague sails past them. For the Vegas operations, the group worked with ALPHV/BlackCat, a Russian-speaking ransomware-as-a-service crew that supplied the encryption malware once Scattered Spider had done the talking. The generational echo of the teenager who hacked GTA 6 with a Fire Stick is not a coincidence. It’s the same talent pool.

Ten Days of Chaos

MGM responded by pulling the plug on huge parts of its own infrastructure to contain the spread, which is why the damage looked so cinematic:

SystemEffect
Slot machinesBanks of machines offline or unable to pay out across Strip properties
Hotel check-inManual check-ins, handwritten receipts, hours-long lobby queues
Digital room keysDead; staff escorting guests or issuing physical keys
The website & appDown for days; bookings by phone only
Loyalty & paymentsComps, points and some transactions frozen

The disruption ran roughly ten days. MGM later told investors the attack shaved about $100 million off its quarterly results, plus one-time recovery costs. And that’s before the class-action settlements that followed.

Did MGM Pay the Ransom?

No. MGM refused to pay and rebuilt its systems instead, absorbing roughly $100 million in lost earnings plus one-time recovery costs. The most interesting part of that answer, though, is a company that isn’t MGM. Weeks earlier, the same ecosystem of attackers hit Caesars Entertainment. You didn’t see wall-to-wall coverage of Caesars’ collapse, because there wasn’t one. Caesars quietly negotiated and reportedly paid a ransom in the neighborhood of $15 million. Its casinos never made the news.

So the Vegas hacks became a natural experiment:

  • Pay quietly: small known cost, no chaos, and you’ve just told every criminal group on Earth that you pay.
  • Refuse and rebuild: $100M+ in visible damage, ten days of humiliation, and nothing in your wallet for the next crew.

Security economists will argue forever about which company chose correctly. Both, notably, are still standing.

What Did the Hack Change?

The MGM attack became the case study that reshaped corporate security priorities in three concrete ways:

  • Help desks became a security perimeter. Identity-verification products for support calls (callback requirements, manager approvals for resets, video verification) went from niche to standard procurement after September 2023.
  • Disclosure got faster. The attack landed just as new SEC rules requiring disclosure of material cyber incidents within four business days took effect, and MGM’s rapid, detailed investor disclosures became the template other companies now follow.
  • The bill kept growing after the headlines. Beyond the ~$100 million operational hit, MGM later agreed to a class-action settlement of about $45 million covering the tens of millions of customers whose loyalty-program data was exposed, a reminder that breach costs arrive in waves, for years.

The Critical Choice

The critical choice at MGM wasn’t made in September 2023. It was made every quarter before it, in the same way most companies make it: deciding, implicitly, by budget line, that identity verification at the help desk was a customer-service problem rather than a security perimeter. The attackers didn’t beat MGM’s defenses. They called the one department whose job description is to open doors, and asked politely.

That’s the uncomfortable takeaway for every business reading the postmortem: your security is not your firewall. It’s your most helpful employee on their busiest day. More stories like this live in our hacks & breaches files.

Where Things Stand Now

MGM restored operations, disclosed its numbers, and settled customer class actions covering millions of affected loyalty-program records. Several alleged Scattered Spider members, many of them barely out of their teens, have since been arrested in the US, UK and Spain, though the network’s playbook has been widely copied. The help-desk con, meanwhile, remains in active use against companies of every size, because it still works.