In September 2023, a member of the Scattered Spider hacking group called MGM Resorts’ IT helpdesk, spent approximately 10 minutes on the phone impersonating an employee, and walked away with the access that would trigger a 10-day operational outage across one of the world’s largest casino and hotel companies. MGM Resorts International operates 30+ hotel and casino properties including Bellagio, MGM Grand, Mandalay Bay, and Aria, and employs approximately 75,000 people. The total impact exceeded $100 million. The entry point was a phone call.
What Happened
Scattered Spider — also known as UNC3944 and Octo Tempest — is a threat actor known for using social engineering at scale, specifically targeting IT helpdesks and service accounts to gain initial access to enterprise environments. Their technique is to research target employees on LinkedIn, obtain enough personal detail to pass basic verification questions, and call the helpdesk to request an account reset.
In early September 2023, Scattered Spider called MGM Resorts’ IT helpdesk and social engineered a password reset for a privileged user account, gaining access to the Okta environment that MGM used for single sign-on across its properties.
The timeline:
- September 8-10, 2023: Scattered Spider gains initial access through IT helpdesk social engineering, accesses Okta
- September 10, 2023: MGM Resorts detects intrusion; begins shutdown of affected systems to contain spread
- September 10-20, 2023: 10-day operational disruption across MGM properties
- Casino floor slot machines and ATMs offline or cash-only
- Room key cards non-functional; guests checked in manually
- Hotel websites, apps, and reservation systems offline
- Restaurants and facilities operating on manual processes
- September 2023: ALPHV/BlackCat claims involvement as affiliate partner providing ransomware payload
- September 27, 2023: MGM Resorts discloses the breach in SEC filing
- November 2023: MGM discloses total financial impact exceeds $100 million plus ongoing losses
- 2024: MGM discloses data breach notification — personal data of approximately 37 million customers exposed including names, contact details, dates of birth, driver’s licence numbers, Social Security numbers for some customers, and passport numbers
The personal data exposed includes highly sensitive information: driver’s licences, passport numbers, and Social Security numbers that represent significant long-term identity theft risk for affected customers.
How It Happened
The breach entry was social engineering of the Okta environment through IT helpdesk manipulation. Once Scattered Spider had Okta access, they could move through MGM’s systems using legitimate single sign-on credentials — the same pattern that made their attacks at other organisations so effective. Okta, as the identity provider for an organisation’s entire application estate, is one of the highest-value non-human identity surfaces in the enterprise.
The specific NHI failures:
IT helpdesk as identity reset surface. The helpdesk reset process was designed to accommodate users who had forgotten passwords or lost access to MFA devices. It relied on knowledge-based verification that Scattered Spider was able to defeat through basic employee research on LinkedIn. An attacker who can reset a privileged Okta account through a phone call has effectively bypassed every access control downstream of that credential.
Okta as a single point of identity compromise. Okta is used to provide SSO access to dozens or hundreds of applications. A single compromised Okta credential provides an authenticated entry point to every application in that SSO estate. That is by design — SSO is intended to provide seamless access. From a security perspective, it also means that a single credential compromise has outsized blast radius compared to individual application credentials.
Insufficient monitoring of privileged Okta account actions. The initial Okta access on September 8-10 was not detected immediately. Multiple days of reconnaissance elapsed before MGM began shutdown procedures on September 10, indicating that anomalous privileged account activity was not generating real-time alerts sufficient to trigger an immediate response.
What This Means for NHI Governance
The MGM breach occurred in the same month as the Caesars Entertainment breach — the same threat actor, the same technique, two of the largest US casino operators hit within weeks of each other. Both breaches began with a helpdesk call. Both exploited Okta-adjacent credentials. Both resulted in ransomware deployment.
Okta and equivalent identity providers are a critical NHI surface. The service accounts, application integrations, API connections, and machine-to-machine credentials that flow through an Okta environment are non-human identities. When the Okta environment itself is compromised through a helpdesk call, the entire downstream NHI estate is potentially at risk.
The broader governance lesson: identity providers are the key management infrastructure for NHI credentials. If the identity provider can be accessed through a social engineering channel that bypasses its own authentication requirements, all of the downstream NHI controls built on top of it are exposed.
Recommendations
- Harden IT helpdesk identity verification immediately. Knowledge-based verification is insufficient for any action that provides access to corporate systems. Require one or more of: in-person verification with ID, manager co-authorisation via a separate authenticated channel, callback to a pre-registered number confirmed against the HR system, or cryptographically-bound identity verification.
- Treat Okta and identity provider administrators as ultra-high-privilege accounts. These accounts can reset access for every user and application in the environment. They require phishing-resistant MFA, dedicated privileged access workstations, and rigorous approval workflows for all administrative actions.
- Implement real-time monitoring for privileged Okta actions. Admin account logins from new locations, bulk user password resets, MFA device changes for privileged accounts, and new application integrations should all generate immediate security alerts.
- Scope and review all Okta application integrations periodically. Every application integrated with your Okta environment is a non-human identity relationship. Review the access each application integration holds and remove any that are no longer required.
- Implement emergency break-glass procedures that do not rely on the compromised identity provider. If your Okta environment is compromised, your response capability should not depend on systems that SSO through Okta. Ensure break-glass administrator accounts use a different authentication path.
How NHI Mgmt Group Can Help
Securing Non-Human Identities (NHIs) including AI Agents, is becoming increasingly crucial as attackers discover and target service accounts, API keys, tokens, secrets, and OAuth credentials during breaches. These NHIs often hold extensive permissions that can be exploited, making their security a priority for any organisation focused on protecting their digital assets.
Take our NHI Foundation Level Training Course, the most comprehensive in the industry, that will empower you and your organisation with the knowledge needed to manage and secure these non-human identities effectively.
Final Thoughts
The MGM Resorts breach cost over $100 million and exposed the personal data of 37 million customers. The helpdesk call that enabled it lasted approximately 10 minutes. The control that would have prevented it, an IT helpdesk verification process that could not be defeated through a phone call, costs nothing compared to that impact.
Ten years of security investment in perimeter controls, endpoint protection, and network monitoring was bypassed in 10 minutes because the one control that mattere, who can request an identity reset and how is that request verified, was not hardened against social engineering. That is the lesson. Everything downstream of identity is only as strong as the process that controls identity recovery.
