On Friday, September 8, 2023, someone picked up a phone and called the MGM Resorts IT helpdesk. The caller sounded American. They gave a full name, an employee ID, and a date of birth — the kind of details you would expect from a legitimate employee locked out on a Friday afternoon.
They wanted a password reset. And while they were at it, could someone reset their multi-factor authentication too?
About ten minutes later, they had both.
That call is where a Fortune 500 hospitality giant lost its network. Not to a zero-day. Not to a nation-state APT running custom malware. To a phone call.
If you have ever worked a helpdesk shift, you already know how this story starts. It is Friday afternoon. Your queue is long. Someone senior sounds stressed, wants their access back, and just wants to get on with their weekend. You run through your identity checks, everything matches, you reset the account. Ticket closed. Move on.
By Monday, MGM’s slot machines were showing blue screens, guests were locked out of their hotel rooms, and staff were handwriting credit card details on scraps of paper at the front desk. The FTC chair, who happened to be a guest at an MGM property that weekend, was one of them.
Here is the part the news skipped: this wasn’t inevitable. It was a chain of specific, preventable decisions made long before the phone rang.

Who called MGM, and why they won
The group behind the initial access called themselves Scattered Spider — also tracked as UNC3944, Octo Tempest, and a handful of other names depending on which threat intel vendor’s report you are reading. They partnered with ALPHV/BlackCat, a Ransomware-as-a-Service operation historically linked to Russian-speaking cybercrime forums.
The interesting part of Scattered Spider is not the tooling. It is the profile.
Members are largely native English speakers, most of them between 19 and 22, some reportedly as young as 16, based mostly in the US and UK. That linguistic fluency is a tactical weapon. It lets them call a Western helpdesk without triggering the accent-based suspicion that shuts down a lot of offshore social engineering. They sound like you. They sound like the person whose account they are impersonating.
Their playbook does not require breaking anything. Before the call, the group scraped LinkedIn to map MGM’s IT hierarchy. They identified employees with privileged administrative roles — Active Directory admins, Okta admins, cloud engineers. They collected names, titles, reporting structures, and enough personal detail — often stitched together from prior breach dumps sitting on the dark web — to pass a standard helpdesk identity check.
Then they picked up the phone.
The ten minutes that broke the network
The vishing call worked because MGM’s helpdesk verified identity the way most helpdesks still do: by asking questions with public answers.
Full name. Employee ID. Date of birth.
In a world where every major data broker, breach dump, and LinkedIn profile has been indexed and cross-referenced, those three data points are not authentication. They are the answer key to a test the attacker already had. A former MGM employee later described the process bluntly: the organization was operating on the honor system.
The service desk did what service desks are trained to do. They resolved the ticket. They reset the password. They reset the MFA. The attacker was now, from the network’s perspective, the employee.
The real employee got an automated notification about the changes and reported it immediately. But minutes had already passed, and Scattered Spider had already moved.
Okta was Tier 0. Nobody told Okta.
Once inside, the attackers went straight for identity. Specifically, MGM’s Okta environment — the single sign-on layer that authenticated employees into everything else.
They did not just log in and start dumping data. They set up a backdoor most defenders do not monitor for: inbound federation.
Inbound federation is a legitimate Okta feature. It lets you link two Okta tenants together — useful during mergers and acquisitions, where you want employees from Company B to authenticate into Company A’s systems without a full migration. The problem is that when an attacker configures a rogue identity provider through inbound federation, they can grant themselves Super Administrator privileges that survive password resets. The trust is now baked into the architecture, not into any single credential.
From there, MGM’s cloud environment fell like dominoes. Because Okta was the identity trust root for MGM’s Azure tenant, compromising Okta meant compromising Azure. Scattered Spider walked out of the SSO platform with Global Administrator rights in the cloud.
At this point, they had complete control over identity across the enterprise. MGM’s security team was just starting to realize what was happening.
The response that made it worse
By Saturday, September 9, MGM’s monitoring picked up unusual activity on Okta Agent servers. By Sunday, the incident response team made a decision they were about to regret.
They shut down all Okta sync servers.
The logic was intuitive: if the attacker is in Okta, kill Okta. Sever the connection between on-prem and cloud. Cut off their movement.
The reality was that the attacker had already built a backdoor that did not depend on Okta sync at all. Shutting down the sync servers did not lock the attacker out. It locked MGM out. The security team lost visibility. The IT team lost the ability to reset legitimate user access. Employees could not log into systems the responders now needed to control.
The attackers, meanwhile, still had Global Admin in Azure and Super Admin in Okta.
In a manifesto ALPHV later posted to their leak site, they mocked the response openly, claiming MGM’s engineers did not understand how their own network worked. It is tempting to dismiss attacker propaganda, but independent security analysts largely agreed with the assessment. This was a panic response — the kind that a rehearsed incident response playbook, drilled in tabletop exercises, is supposed to prevent.
On Monday, September 11, with MGM’s teams disoriented and their response effort in shambles, Scattered Spider pivoted from the cloud back down into the physical infrastructure. They executed a mass ransomware event against more than 100 VMware ESXi hypervisors — the servers running the virtual machines that ran the casino, hotel, and point-of-sale systems.
That is the moment the slot machines went dark. That is the moment the room keys stopped working. That is the moment guests started handwriting their credit card numbers on scraps of paper at the front desk while the FTC chair watched.

The bill
MGM disclosed the incident publicly on September 11 and filed an 8-K with the SEC estimating $100 million in direct Q3 impact. That number broke down roughly like this:
- $84 million in lost revenue from offline gaming, cancelled bookings, and disrupted operations. During the outage, gaming analysts estimated MGM was losing between $4.2 million and $8.4 million per day.
- $10 million in one-time response costs — forensics, legal, third-party incident response.
- $6 million in technology rebuild and security hardening.
Roughly six terabytes of data were exfiltrated before the ransomware fired. For a smaller subset of customers, that data included Social Security numbers, passport numbers, and military IDs.
The legal aftermath ran for two more years. In January 2025, MGM agreed to a $45 million class action settlement covering roughly 37 million affected customers, consolidating claims from both the 2023 breach and an earlier 2019 incident. Final approval came from Judge Gloria M. Navarro on June 18, 2025. The FTC opened its own investigation via a sweeping Civil Investigative Demand, which MGM aggressively fought — including a motion to disqualify FTC Chair Lina Khan, arguing her personal experience as a stranded guest during the attack created a conflict of interest. That fight ended in February 2025 when the agency, under new leadership, withdrew the demand entirely.
Notably, MGM refused to pay the ransom. Caesars Entertainment, which was hit by the same actors just days before, paid roughly $15 million to make the problem go away. That contrast — public breach versus quiet payoff — became one of the most-debated case studies in modern extortion economics.
Reading the breach through the Threat & Control Method
At Blue Team Academy, we teach a specific decision process for defensive cybersecurity: Inventory → Threats → Controls → Scale. Every serious breach in the last five years has been, at heart, a failure at one or more of those steps. MGM is a near-perfect illustration of what happens when the whole chain breaks down.
Inventory. MGM’s identity platform was, in practice, a Tier 0 asset. A compromise of Okta was going to be a compromise of everything, because Okta was the trust root for both on-prem and cloud. But the operational treatment of Okta did not match that criticality. Admin roles were over-provisioned and permanent, not just-in-time. Inbound federation was enabled and left unmonitored. The organization had not inventoried Okta as the most valuable thing in the network, so it was not defended like it.
Threats. MGM’s threat model, based on the response, seemed to assume the attacker would come at the perimeter — the firewall, the web app, the endpoint. It did not seem to seriously model the human infrastructure as the highest-value target. Scattered Spider had been publicly documented for over a year by the time of the attack, and the vishing-to-helpdesk playbook was already well known in the industry. Any threat model worth writing would have named it.
Controls. This is where the failures are most concrete. Knowledge-based authentication at the helpdesk should have been retired years ago in favor of possession-based factors — FIDO2 keys, verified push to a registered device, out-of-band confirmation through a manager. There was no device trust: authentication succeeded from an unmanaged, unknown endpoint. There was no meaningful micro-segmentation between the cloud identity plane and the on-prem hypervisors. And there was no rehearsed playbook for an IAM compromise, which is why the response looked like panic instead of procedure.
Scale. The most uncomfortable part of the MGM story is not that it happened. It is that the same pattern keeps happening. Scattered Spider has since been implicated in attacks on retail, insurance, and airline companies using variations of the same vishing-to-IAM-to-ransomware chain. The controls that would have stopped MGM would have stopped most of them. The lesson does not scale if organizations only learn it after they are the headline.
What this means for IT pros moving into security
If you are reading this as a systems administrator, network engineer, or infrastructure lead thinking about pivoting into security, MGM is one of the most instructive breaches you can study. Here is why.
Every failure mode in this attack lives in territory you already understand. Active Directory. Okta or Azure AD. VMware ESXi. Helpdesk workflows. Change management. Privilege delegation. You do not need to learn what these things are — you already run them. What you need to learn is how to look at them through a defensive lens.
That is the shift the security mindset asks of you: not “how do I make this work,” but “how do I make this work without introducing unacceptable risk.” Applied to MGM, that mindset would have asked whether the helpdesk verification workflow could survive an attacker who already knew the answers. Whether privileged Okta accounts really needed permanent admin. Whether the incident response team had ever actually run a tabletop simulating exactly this scenario.
Those are questions you are already qualified to ask. You just have to start asking them.
Three concrete places to practice, this week:
- Look at how identity resets happen in your current environment. What proves the person on the phone is who they say they are? If the answer is “we ask them their employee ID,” you are looking at MGM.
- Map the trust relationships between your on-prem and cloud identity systems. If a compromise of one grants automatic access to the other, you have found a segmentation problem worth flagging.
- Ask whether your organization has a rehearsed playbook for an IAM compromise. Not for a ransomware event generally — for the specific scenario where the attacker owns your identity platform. If nobody has run that tabletop, you have a project.
You do not need to be a security engineer to notice any of this. You need the operational context you already have, plus the willingness to reframe it defensively. That reframing is the entire pivot.
The bottom line
MGM did not lose control of its network because someone found a brilliant exploit. It lost control because a ten-minute phone call bypassed a verification process that should not have existed in 2023 — and because the layers underneath that verification were not built to catch a compromised identity once the perimeter was already through.
Modern threat actors are increasingly not hacking in. They are logging in. The line between defense and access has moved from the firewall to the identity provider, and organizations that have not caught up are the ones writing $100 million disclosures.
Cybersecurity is not rocket science. It is inventory, threats, controls, and scale, applied honestly and in the right order, before the phone rings. If your current organization is skipping any of those steps, you already know where to start.
If MGM taught you what “identity is the new perimeter” actually means in practice, that is exactly the way of thinking Blue Team Academy is built to develop. Our program takes the IT experience you already have and turns it into a defensive skill set the market pays for. If that is the direction you want your career to go, start here.

