Last summer, MGM Resorts disclosed an MGM data breach that affected around 10 million guests of the hotel company, including some fairly high-profile clients. The data, which included names, addresses, phone numbers and email addresses appears to have not included sensitive things like payment card information or Social Security numbers. However, that does not mean the information is useless, and it certainly has not stopped hackers from posting the stolen data for sale on the Dark Web.

There are a few different reasons why hackers might target a company or website. They might want to steal information, such as in the case of the MGM data breach, or install malicious software on the company’s servers. They might simply want the “credibility” of breaking into a secure site and bragging about it later, or even the ability to protect the public, as in the case of “white hat hackers” who infiltrate a company in order to show them their own defense weaknesses.

In the case of the MGM data breach, the goal seems to have been profit. The database of information—which included records that claim to belong to Justin Bieber, Twitter CEO Jack Dorsey, U.S. government officials and even a Secret Service agent—has now been discovered for sale online.

What can criminals do with this stolen information once they buy it from the hackers? After all, it does not contain any permanent identifiers or financial account records.

The end goal for this kind of sale is to grab up the email accounts and use them for targeted spam. It could be the annoying kind of spam that floods your inbox with ludicrous consumer offers, but it could also be the dangerous kind. For example, if the hacker wants to infiltrate a government computer, they might send an email with an embedded virus to a former guest with a .gov email address. In order to get the recipient to click the link, the email just has to look like it came from MGM Resorts—or another company the person does business with—and offer some plausible reason why the recipient should open the file.

From there, the malicious software, virus or even ransomware can be installed on the victim’s computer, and then the senders can move forward with whatever plan they intend.

In order to protect yourself from this kind of attack, there are some things you can do to be more proactive. No one can prevent every cyberattack, of course, but you can at least try to slow the bad guys down.

  1. Throwaway email account – Establish an email account that you use specifically for things like booking travel, online shopping or even signing up for gaming apps. There is no reason to use your work email or “official” email for those kinds of activities.
  2. Develop good habits – Never click a link, open an attachment or download a file that you were not specifically expecting. Even if it looks like it comes from someone you know or a company you do business with, it could be spoofed and therefore could be harmful.
  3. Stay up to date on data breaches – Any time there is a data breach and you are informed that your information may have been compromised, that should serve as another reminder that a wave of spam or fake emails is coming your way. Be on the lookout for anything unusual and stay away from those embedded dangers.

For more information on data breaches like the MGM data breach and what they could mean to you, go to idtheftcenter.org and check out the free Breach Clarity tool that helps consumers understand their risks and take the proper steps to protect their identity.

You might also like…

There are more remote workers now than ever, either as telecommuting employees or freelancers. At the same time, more businesses than ever before are relying on these hard-working individuals to keep their companies in operation. The end result is people who don’t work in your building—or even live in your city—and who have never laid eyes on the boss may be the best line of defense when it comes to protecting your business from cybercrimes.

These remote workers can turn out to be the weakest link in the business cybersecurity chain. With their access to company servers, their connection via email to the onsite employees’ network and the fact that they are typically utilizing their own technology—whether it is virus-protected or not—these outsiders could be the avenue that savvy hackers use to deploy their malicious tactics.

Going through an outside source is nothing new for hackers. In fact, the infamous Black Friday breach of Target’s payment card system in 2013 happened because hackers sent a phishing email to a small HVAC repair company. This company had the contract to work on a number of Target locations in its area, and as such, had been connected to Target’s computer network. When hackers tricked an employee of the HVAC company into downloading malicious software on the smaller company’s network, they were able to infiltrate all of the POS systems for Target on the biggest shopping day of the year.

How can a company know that its outside freelancers or remote workers are not falling for phishing attacks? How will they know if those employees’ personally-owned computers and devices are password protected and have antivirus software installed? Without a system of checks in place, businesses are leaving a lot up to chance.

There are a lot of other hidden pitfalls these remote workers and companies face, as shown here, but fortunately, many of the same preventive measures that protect individuals can also protect businesses. Here are some tips on the employee’s end that can reduce the risk of a breach:

  • Locking down your Wi-Fi and your accounts with strong, unique passwords is crucial, and regularly changing your passwords is a good idea
  • Enabling two-factor authentication is a good idea too, as it can keep hackers out of a lost or stolen smartphone or laptop
  • Be sure that antivirus software is installed and up-to-date at all times, and consider using a VPN to hide your information when you are working online

For businesses and employees alike, the most important steps to take involve learning to spot the signs of suspicious activity. Know how to recognize a phishing email, and know what the proper steps are to avoid becoming a victim of a phishing attack. Make it a policy and all-around good habit to never click on a link, open an attachment or download a file that you were not specifically expecting. Create a workspace that rewards employees for verbally confirming even the simplest of commands and requests if there is any doubt that they are legitimate.

Companies have to work together from the top down to create a safe, effective workplace. Avoiding business cybersecurity issues can only happen when everyone works together and knows how to be safe.

If you believe you are a victim of identity theft, you can call the Identity Theft Resource Center toll free at 888.400.5530 to speak with one of our advisors or live chat with an advisor on our website. They will help you create an action plan for your case while directing you on the next steps you need to take.


For on-the-go identity assistance, check out the free ID Theft Help App from ITRC.

You might also like…

When you are on the internet in this day in age, you always have to be cautious about whether games and deals are legitimate fun or a social media hoax. There is no shortage of ways to earn money, win prizes or benefit from free goods online. Contests, giveaways and company discounts are all over, and the chance to score some savings can be very enticing. Sometimes it takes nothing more than “liking and sharing” a page. Other times, it requires you to sign up with your identifying information. Unfortunately, scammers know that as well.

From social media hoaxes and fake contests to outright phishing attempts that steal your information, there is no end to the ways that criminals will try to take advantage of you. Adopting a suspicious air of caution is important whenever you sign up for something, enter a game or contest or any other type of activity that exposes your information.

For example, a new contest has made serious waves online, mostly for its originality but also for its red flags. A group known as MSCHF has had a lot of fun—and shared that fun with a vast community of online users—with innovative and inventive offerings. Their newest project, however—Password of the Day—is no exception.

The way it works is you sign up with your phone number to receive text messages from the company. Every day, users can request the “password of the day.” The reply will include the login credentials for some kind of online account. It might be an Amazon account equipped with Prime, a PayPal account with a $1,000 balance in it, a Disney+ account or any other kind of account. Not knowing is part of the game, after all. The trick is the first person to find the online account that those credentials go to gets to keep it.

Fun, right? Except for some media coverage of this “internet treasure hunt” that failed to point out where exactly these login credentials came from. That left people to speculate as to whether these credentials had been stolen or bought from the Dark Web. Is this the latest social media hoax?

Luckily, no. Upon further research about this game, showed that the creators had established all of the accounts themselves to give away. That might not have been clear at the onset to some users since the game was very mysterious. However, it is a legitimate game that does not steal from others.

It is hard to find fault with the people who were concerned about a social media hoax, though. After all, the internet is filled with too-good-to-be-true offers, fake coupons that require you to turn over your personal data and surveys that go on for page after page and result in a flood of spam emails. Furthermore, this game requires you to submit your cellphone number—in order to receive the text messages—and that can make people stop and think, too.

This should serve as a warning to all internet users to be careful of “crazy” deals and offers. More importantly, do your own homework before signing up for or rejecting a company. Simple Google searches can tell you a lot about whether or not it is a social media hoax. If you are still unsure, contact the company directly or err on the side of caution. In the meantime, enjoy the game when a company has proven itself to be trustworthy!

If you believe you are a victim of identity theft, you can call the Identity Theft Resource Center toll free at 888.400.5530 to speak with one of our advisors or live chat with an advisor on our website. They will help you create an action plan for your case while directing you on the next steps you need to take.


For on-the-go identity assistance, check out the free ID Theft Help App from ITRC.

You might also like…

In 2019, romance scams led to losses of over $200 million. While these scams may seem easy to avoid, scammers go out of their way to take advantage of you.

All internet scams have the potential to be cruel. After all, they are designed to trick you into handing over your money, your identity or both. However, perhaps one of the most heart-wrenching forms of online scam is the romance scam. Not only does the victim lose their money—and even potentially end up in jail—but they lose what they believed was a real chance at finding lasting love.

Romance scams occur when someone poses as a possible love interest. They reach out to you on social media, on dating apps and websites, via text message or email or through any other means. The resulting conversation is fun and interesting, and the sheer amount of personal attention can lift anyone’s spirits. Before long, you find yourself looking forward to the numerous messages this person sends each day. It does not take long before the pre-packaged lines start to flow:

  • “I have never felt like this with anyone I have chatted with before.”
  • “I know we just started talking, but I think I’m falling in love with you.”
  • “I hope this is not too forward, but I could really see us spending the rest of our lives together.”

Of course, there is always a major obstacle from this new love interest that makes it hard to chat, speak on the phone or visit in person. Perhaps they work on an offshore oil rig, or they are a deep-sea fisherman out on the water for months at a time. Often, the scenario is that they are a U.S. soldier who has been deployed to Afghanistan. The job may change, but the excuse is the same.

Before too long, the ploy begins:

  • “I am stuck here on an oil rig and my mom—who adores you already and is excited about meeting you soon—needs medicine. The money is in my account, but the bank has frozen my account while I am away. If only there was someone who could send her money so she does not end up back in the hospital.”
  • “I am away on the boat and my son at university—I mean, our son—just had his laptop stolen. He is going to fail his classes and lose his scholarship.”

What’s worse, is the victim’s response to the ploy will determine the future of the relationship. Sending money right away will earn you more messages, more talk of marriage and a future. Showing even the slightest hesitation can result in being cut off for a while. Once you come to your senses and send the money, then the lovey-dovey talk starts back up.

You would think people would not be taken in so easily, but that is not true. In fact, despite the fact that romance scams have been around for years, 2019 romance scam statistics show Americans reported losses of over $201 million in 2019 to romance scams. Those romance scam statistics are just the reports that were actually made to the Federal Trade Commission (FTC), and does not include the numbers of victims who are still embedded in these scams or were too upset and embarrassed to file a report.

Over the last two years, the money reported lost to romance scams was higher than any other reported scam according to the FTC. The FTC also says 2019 romance scams included more than 25,000 reports filed.

Avoiding a romance scam is much harder than it sounds, and recognizing that you have already been victimized is even harder than that. These scammers are good at what they do and they know exactly what to say to snare their victims. All you can do is adopt an air of caution about talking to people online, look for those red flags about long-distance relationships and far-flung jobs and remember that if anyone asks you for money for any reason, it is probably a scam.

If you believe you are a victim of identity theft, you can call the Identity Theft Resource Center toll free at 888.400.5530 to speak with one of our advisors or live chat with an advisor on our website. They will help you create an action plan for your case while directing you on the next steps you need to take.


For on-the-go identity assistance, check out the free ID Theft Help App from ITRC.

You might also like…

In what has become a frequent event, another company has fallen victim to exposing their sensitive company information to the entire internet, all because they failed to password-protect their web-based storage system. LimeLeads, a San Francisco-based company that matches individuals and businesses with potential leads, left its internal database of users unsecured. The LimeLeads overexposure was discovered by a hacker, who downloaded it and sold more than 49 million of the users’ information online.

This type of overexposure continues to happen because many of the systems that offer cloud-based or web-based storage to their customers have the password setting off by default. That might seem like a bad idea, given how many times in recent months this very scenario has happened. However, there are important reasons for not automatically locking everyone out of the system, especially when the company is transitioning to this service. As soon as the transition is underway, that default setting should be changed immediately to a password-protected setting.

Instead, too many companies leave it unprotected, never changing the default, which is what led to the LimeLeads overexposure. That means literally anyone who knows to look for it—or just gets curious and starts browsing around online—can find both the storage bucket and the contents. In this case, a security researcher who routinely looks for unsecured databases discovered it. Unfortunately, they did not discover it before someone else got to it first.

According to ZDNet, a hacker who goes by the name Omnichorus also stumbled upon the database. They then downloaded the contents and posted it for sale on the Dark Web. In many other events like the LimeLeads overexposure, the companies were lucky. They never found evidence that anyone else (before the security researcher who reported it) found or used the information.

Unfortunately, any time personal data is collected and stored, it is the responsibility of the new owner to keep it secure. The LimeLeads overexposure amounts to a data breach, despite the unintentional nature of the event, and those users’ records have now been compromised. Businesses must make comprehensive computer training and updates a priority in order to prevent issues like the LimeLeads overexposure.

If you believe you are a victim of identity theft, you can call the Identity Theft Resource Center toll free at 888.400.5530 to speak with one of our advisors or live chat with an advisor on our website. They will help you create an action plan for your case while directing you on the next steps you need to take.


For on-the-go identity assistance, check out the free ID Theft Help App from ITRC.

You might also like…

The 2020 year has kicked off with a number of high-profile data breaches that have affected a wide variety of industries. The recently announced Front Rush data breach affecting student-athletes is just another in a long line of attacks that have targeted businesses and their customers.

Front Rush, a tech company whose recruiting software connects colleges, universities and sports teams with up-and-coming student-athletes, suffered a data breach that compromised around 700,000 students’ profiles. The Front Rush data breach was the result of an unsecured Amazon Web Services online storage system, which is another in an ever-increasing number of accidental overexposures that lay out companies’ databases to anyone who looks for them on the web.

This time the exposed victim records included minors, and due to the nature of the information collected, it included SAT scores and grades, medical files and financial aid agreements.

The storage bucket has been taken offline, but there is no way of knowing if anyone accessed the information before Front Rush became aware of the issue. A security researcher discovered the exposed bucket and contacted Front Rush, but they did not receive a reply. The researcher then reached out to the media so that victims’ might be made aware.

Incidents like the Front Rush data breach may be on the rise, but they are also avoidable. By default, the web storage bucket is set to “non-password protected,” and it is up to the client to lock it down and put a password in place. Users who fail to do so are literally leaving their entire database available to anyone on the internet.

The consumers whose information goes into these unsecured storage systems do not have much they can do to prevent these things from happening. That is why it’s very important to monitor your accounts closely, change your passwords frequently (in case someone stumbles on old information online) and be on the lookout for spam email and phishing attempts that come from these kinds of breaches.

If you believe you are a victim of identity theft, you can call the Identity Theft Resource Center toll free at 888.400.5530 to speak with one of our advisors or live chat with an advisor on our website. They will help you create an action plan for your case while directing you on the next steps you need to take.


For on-the-go identity assistance, check out the free ID Theft Help App from ITRC.

You might also like…

A Golden Entertainment phishing attack is forcing the gaming company to see if any exposed information has been used in a harmful way and to look at ways to protect employees from possible attacks in the future.

There are many different ways that hackers can strike. From infiltrating entire networks to installing viruses and malware, their methods are varied and unfortunately, quite effective. A newly announced breach of one company’s employee email accounts shows how simple and effective it can be.

In what seems to be a phishing attack, hackers sent an email to an employee of Golden Entertainment, a company that manages casinos, distributed gaming venues and more. The email enticed the employee to follow through with some sort of instructions, which have not been released. Those instructions could have been to open an attachment, download a file, click a link or any other avenue that the hackers chose.

The end result was that the email contained malicious steps that gave the hackers access to email accounts for the employees. The report states that the unauthorized user(s) may have visited that account more than once throughout an eight-month period. As such, they were able to access sensitive emails, including some that had attachments. Those attachments included complete customer identities for some clients, including payment card data, Social Security numbers and much more.

The company has not found any evidence that the affected customers’ information was used in a harmful way, but they are being very cautious about their investigation and resulting steps.

The Golden Entertainment phishing attack is just another reminder that all companies, no matter how big or small and no matter what industry they are in, should have comprehensive employee training on how to respond to emails, messages and social media posts. Those trainings should include instructions on never opening an attachment or clicking a link that was unexpected, even if the email appears to come from a trusted sender. Instead, the employees should verify the instructions verbally before complying.

Failure to do so can lead to cybercrimes such as hacking, account takeover, ransomware and identity theft, as seen in the Golden Entertainment phishing attack. The high costs of the aftermath of these attacks can make anyone wish they had simply never clicked. Be sure you are doing all you can to protect yourself from attacks like the Golden Entertainment phishing attack by being able to spot a phishing attack and reporting it to your employer.

If you believe you are a victim of identity theft, you can call the Identity Theft Resource Center toll free at 888.400.5530 to speak with one of our advisors or live chat with an advisor on our website. They will help you create an action plan for your case while directing you on the next steps you need to take.


For on-the-go identity assistance, check out the free ID Theft Help App from ITRC.

You might also like…

It is the season of love and the season of romance scams, specifically a senior online dating scam.

Who Is It Targeting: Single seniors looking for relationships

What Is It: Variety of scams that target seniors based on romantic conversations

What Are They After: There are a variety of senior online dating scams out there right now, and they can do everything from stealing your money or identity to landing you in jail. Typically, romance scammers reach out via social media messaging sites, online dating sites and even platforms like Skype. However, the brief conversations with a stranger quickly turn romantic, and before too long, the victim is snared.

How Can You Avoid It:

  • Be very wary of connecting with people you do not know
  • Look for red flags, such as a job in a far-flung location or some excuse as to why they cannot connect or speak on the phone regularly
  • If you are asked for money for ANY reason, it is a scam; no one you just met online will need to ask you for money, no matter how many times you have chatted
  • Some of the romance scams can hook you into taking part in criminal activities like money laundering, so be careful of any “favors” you are asked to do
  • Video platforms like Skype have been used for sextortion, so be very careful about engaging in adult behaviors online with someone you don’t actually know

If you think you may be a victim of identity theft or a senior online dating scam, contact the Identity Theft Resource Center for toll-free, no-cost assistance at 888.400.5530. Find more information about current scams and alerts here. For full details of this scam check out this article from WealthyRetirement.com.

After a couple of years away from the top of the Consumer Sentinel Network Data Book, identity theft reports have returned to the top spot.

The Federal Trade Commission (FTC) accepts agency, business and consumer-submitted reports of scams, fraud and other related crimes. They then compile those reports into a large online database called the Consumer Sentinel Network. This database is available to law enforcement around the country. When compiling the report each year, the FTC also maps the types of crimes that consumers submit and shares that data with the public.

The FTC received over 3.2 million reports of which the top three categories including identity theft, imposter scams, and telephone & mobile services. Identity theft encompasses a number of different types of crime, largely based on how the thief stole the information and what they did with it. For example, medical identity theft occurs when the thief uses stolen information and poses as a patient to receive medical care or pharmaceuticals. Government identity theft occurs when someone uses the stolen data to apply for government benefits, file a fraudulent tax return and other crimes. Child identity theft, as the name implies, happens when the victim is a child with a clean credit report or is not receiving government benefits and someone uses their Social Security number and information.

Just because other crimes eclipsed identity theft reports for a couple of years does not mean the number of incidents were insignificant. It only means that other crimes were more prevalent. Now, with identity theft reports returning to such a prominent position, it should serve as a warning to the public that all forms of identity theft, fraud and scams continue to be serious problems.

However, there are ways you can protect your identity:

  • Place a freeze on your credit report. If your data has ever been compromised in a data breach, this is an especially good idea. It is now free, but keep in mind that if you need to thaw your credit, it can take several days.
  • Enable alerts on all of your financial accounts and cards. These alerts will let you know if someone has infiltrated your existing accounts and managed to use them.
  • Practice good password hygiene. A password can only protect you if it is strong—with at least eight digits and a combination of unguessable letters, numbers and symbols—and only used on one account. It is also a good idea to change your passwords regularly to prevent anyone who discovered old login credentials from accessing your accounts.

If you believe you are a victim of identity theft, you can call the Identity Theft Resource Center toll free at 888.400.5530 to speak with one of our advisors or live chat with an advisor on our website. They will help you create an action plan for your case while directing you on the next steps you need to take.


For on-the-go identity assistance, check out the free ID Theft Help App from ITRC.

You might also like…

The Identity Theft Resource Center (ITRC) has released it’s annual End-of-Year 2019 Data Breach report, and the information is both surprising and expected. The ITRC has long been a go-to source of help and information about identity theft and fraud, data breaches and other related matters. As part of its mission to empower consumers, law enforcement and lawmakers alike with up-to-date information, the ITRC compiles a data breach report each year to present a clear picture of this type of crime.

The 2019 Data Breach Report has revealed that data breaches are on the rise once again, despite a drop the year before. The lower numbers in 2018 appear to have been an anomaly rather than a sign that businesses are getting better at the kinds of security that hackers cannot breach.

Hacking continued to be the number one method of data breaches.

However, there were some very interesting findings. In 2019 there may have been a record number of data breaches but the numbers of consumers’ personal records that were compromised were dramatically lower than before. While that is in large part to the 2018 Marriott data breach exposing over 380 million records, it could still be a sign that the data hackers are after is not as accessible.

Also, for only the second year in a row, the medical industry was not the number one target for hackers. In the past, the healthcare sector has often been a top priority for data theft due to the high-volume of personal information that doctors offices and hospitals collect on their patients.

Last year, the business sector was the number one target and medical providers were in second place.

There was another unfortunate surprise to come from the 2019 Data Breach Report and the sharing of the findings. Too many people still do not know how to better protect themselves from this kind of crime, and many are unaware of the resources like the ITRC that are here to help them.

In order to try to avoid becoming a victim, it is important to understand what preventive steps consumers can take.

Tactics like the second most common avenue of data breach last year (unauthorized access), for example, can often be thwarted with strong, unique passwords on all of your accounts.

It is also important to monitor your accounts closely for signs of unauthorized use, report any suspicious activity immediately and file a police report if you have been a victim of identity theft.

For a complete look at the ITRC’s 2019 Data Breach Report, click here.


Contact the Identity Theft Resource Center for toll-free, no-cost assistance at 888.400.5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.

You might also like…