The $100M MGM Hack Started with One Help Desk Call. Are You Protected?

What Happened in the MGM Hack

In September 2023, MGM Resorts International suffered a cyber incident that disrupted hotel operations, slot machines and reservation systems for days. Reports estimate the cost of the breach at around US$100 million. The attackers did not exploit a software vulnerability or deploy zero‑day malware. Instead, they called the help desk.

According to sources, members of the Scattered Spider group gathered personal data about an MGM employee from social media and public databases. They then contacted the company’s help desk, impersonating the employee. By answering basic security questions and providing plausible reasons, they convinced the agent to reset the employee’s MFA and password. With valid credentials and a new MFA device, the attackers logged into MGM’s systems. They navigated the network, deployed ransomware and stole data. The incident demonstrates how a single phone call can bypass sophisticated technical controls.

How Social Engineering Bypassed MFA

Multi‑factor authentication is designed to protect accounts when passwords are compromised. However, its effectiveness hinges on the secure issuance and management of the second factor. Scattered Spider exploited weaknesses in this process:

• Answering security questions – The attackers gathered enough personal information to answer knowledge‑based authentication questions posed by the help‑desk agent. Public data breaches and social‑media profiles provide names, addresses, birth dates and even pet names. With these details, attackers can convincingly impersonate legitimate users.
• Requesting a new MFA device – The attackers claimed that the employee had changed phone numbers or lost their device. The help‑desk agent, eager to provide assistance, removed the existing MFA and enrolled a new one. The Hacker News explains that scammers often ask agents to send the MFA reset link to a new email or phone, enabling them to complete the process.
• Circumventing push notifications – In some cases, attackers use MFA fatigue by sending repeated push prompts until the victim approves out of frustration. They may call the victim pretending to be IT support and instruct them to approve the login. With MGM, the attack focused on resetting MFA entirely, sidestepping this tactic.
• Using legitimate credentials – Once the new MFA device was enrolled, the attackers had legitimate credentials. The login looked normal to detection tools, so endpoint detection and response systems did not flag the activity. The breach went unnoticed until ransomware was deployed.

This attack underscores the reality that MFA is not a silver bullet. Without robust identity verification and process controls, determined attackers can social‑engineer their way past it.

Why Help Desks Are Vulnerable

Help desks exist to assist employees with access issues. Their goal is to resolve problems quickly and maintain productivity. Unfortunately, this mission makes them attractive targets. Several factors contribute to their vulnerability:

• Human nature – Help‑desk agents are trained to be helpful and empathetic. Attackers exploit this by conveying urgency and building rapport. The Canadian Centre for Cyber Security notes that vishers use fraudulent phone numbers and voice alteration software to impersonate trusted individuals. Agents may feel pressured to resolve issues quickly and may bypass security steps.
• Knowledge‑based authentication – Many help desks still rely on security questions, last four digits of Social Security numbers or other personal data for verification. In the age of massive data breaches, attackers can easily find this information.
• Uniform processes – Large organizations often use the same procedure for all accounts. The Hacker News points out that this uniformity allows attackers to target high‑privilege accounts; the same script resets an administrator’s MFA and a receptionist’s.
• Lack of identity proofing – Few organizations require government ID scans or biometric checks when someone calls in. Without strong identity proofing, it is difficult to distinguish a legitimate user from an impostor.
• Insufficient training and policies – Help‑desk staff may not be trained to recognize social‑engineering tactics. Policies may not require multi‑party approval or call‑backs to official numbers.

Attackers understand these weaknesses. They invest time in research and rehearsal. A single successful call can grant them the keys to the kingdom.

How to Protect Against Similar Attacks

The MGM incident prompted many organizations to re‑evaluate their help‑desk procedures. To prevent similar breaches, consider the following measures:

1. Implement secure identity proofing – Require callers to verify their identity using a secure, out‑of‑band process. Solutions like Trusona send a verification link to the user’s registered device, requiring a government‑ID scan. Nametag emphasizes that advanced identity‑verification technologies use AI and cryptography to prevent deepfakes and impersonation.
2. Use phishing‑resistant MFA and hardware tokens – Replace SMS codes with FIDO2 passkeys or security keys. Google found that after mandating hardware security keys, no employees were successfully phished. Even if attackers call the help desk, they cannot authenticate without the physical key.
3. Script the help‑desk workflow – Provide agents with step‑by‑step scripts that enforce security policies. For high‑privilege accounts, require multi‑party approval or in‑person verification. Deny requests to send reset links to new contact information.
4. Educate and empower employees – Train help‑desk personnel to recognize social‑engineering tactics. Encourage them to slow down, verify details and follow protocol. Educate all employees about vishing and MFA fatigue. Remind them never to approve unsolicited push notifications or share authentication codes.
5. Monitor and audit – Log all password resets and MFA changes. Use analytics to detect anomalies, such as repeated resets or requests from unusual locations. Review logs regularly to ensure that policies are followed.
6. Report and respond quickly – The FBI encourages prompt reporting of social‑engineering incidents. Early detection and response can prevent further compromise and minimize damage.
7. Adopt a zero‑trust mindset – As Industrial Cyber notes, zero‑trust requires verifying both the subject and the device before starting a session. Extend this philosophy to the help desk: treat every request as untrusted until verified.

Conclusion

The MGM Resorts breach is a cautionary tale about the limits of traditional security controls. A single phone call to the help desk led to an estimated US$100 million in damages. Attackers bypassed MFA by exploiting knowledge‑based verification and human trust. This incident underscores the need for strong help‑desk defenses. By implementing secure identity proofing, phishing‑resistant MFA, scripted workflows and robust training, organizations can prevent social‑engineering attacks from escalating into multimillion‑dollar disasters. Are you protected?