MGM Resorts vishing breach: what IAM teams should learn

TL;DR: MGM Resorts’ 2023 outage showed how vishing and help desk impersonation can bypass weak identity verification, disrupting room keys, slot machines, and other services while risking customer data. The incident demonstrates that authentication controls fail when they still rely on human judgment at the point of escalation, not just stronger factors.

NHIMG editorial — based on content published by 1Kosmos covering the MGM Resorts cyberattack: identity verification gaps exposed by vishing and compromised authentication

Questions worth separating out

Q: How should security teams secure help desk password reset and account recovery flows?

A: Treat recovery as a privileged access function.

Q: Why do social engineering attacks still defeat mature IAM programmes?

A: Because many programmes secure the login event but leave recovery, escalation, and exception handling under-governed.

Q: What breaks when account recovery relies on verbal verification?

A: Verbal verification breaks when the attacker can sound credible, use public information, or pressure staff into acting quickly.

Practitioner guidance

• Reclassify the service desk as a high-risk access channel Apply privileged access controls, call-back verification, and dual approval to any request that can reset credentials, unlock accounts, or change authentication factors.
• Harden recovery flows before attackers reach them Remove weak knowledge-based checks and replace them with stronger proofing tied to authoritative identity records, device binding, or step-up authentication.
• Map the blast radius of every reset path Document which systems, sessions, and entitlements become reachable after a support action, then reduce the number of accounts that can unlock multiple downstream services.

What's in the full article

1Kosmos' full article covers the operational detail this post intentionally leaves for the source:

• The vendor’s explanation of how identity-based authentication is positioned against vishing and recovery abuse
• Product-specific detail on biometric verification, liveness checks, and non-phishable MFA claims
• The vendor’s compliance and chain-of-custody narrative for organisations evaluating identity proofing options
• Implementation-oriented framing for teams considering passwordless and biometric-driven authentication paths

👉 Read 1Kosmos' analysis of the MGM Resorts cyberattack and identity verification gaps →

MGM Resorts vishing breach: what IAM teams should learn?

Explore further

View Full Forum →  |  NHI Foundation Course →