Breach Teardown
What Caused the MGM Resorts Breach?
The MGM Resorts attack is the case every help-desk security conversation now references. Attackers reportedly impersonated an employee on a phone call to IT support, obtained a credential reset, and escalated to super administrator access in the identity provider. Slot machines, room keys, and reservations went down for days, and MGM reported roughly $100 million in impact.
- Scale
- ~$100M reported operational impact
- Attack vector
- Help-desk vishing to an identity-provider super admin
- IAM domains implicated
- Auth/SSO, PAM, Security
- Domino controls hit
- 2 of 4
The Incident
What Happened
In September 2023, MGM Resorts shut down large parts of its IT environment in response to an intrusion attributed in reporting to the group tracked as Scattered Spider, working with the ALPHV/BlackCat ransomware operation. The disruption was highly visible: casino floors, digital room keys, reservations, and payment systems were degraded for days. MGM later reported an approximately $100 million impact in a securities filing.
The joint FBI/CISA advisory on Scattered Spider, published that November, documents the group’s core tradecraft: convincing IT help desks, in fluent English and armed with personal details gathered from public sources, to reset credentials and MFA factors for targeted accounts. Reporting on the MGM incident described this pattern, with the attackers reaching super administrator privileges in the company’s Okta identity platform.
Once an attacker controls the identity provider itself, every downstream control inherits the compromise. They can reset factors, mint sessions, and federate their own infrastructure. Identity-provider vendors published guidance on cross-tenant impersonation attacks in the wake of this campaign.
Attack Chain
How the Attack Compounded
Each step below marks the AXIS control that failed at that point in the chain, where one applies. Steps without a control marker were outside the victim's direct span of control.
Attackers profile an employee from public sources and call the IT help desk impersonating them.
AUTH-05
The help desk resets the password and MFA factor without high-assurance identity verification.
AUTH-05
The recovered account path leads to identity-provider super administrator privileges.
PAM-01
IdP control enables persistence through factor resets, session minting, and rogue federation ahead of ransomware deployment.
SEC-01
Containment requires shutting down core systems; operations degrade for days.
Control Mapping
The IAM Controls That Failed
Every failure point below corresponds to a control in the AXIS question bank, the same 4 controls a maturity assessment would have scored before this incident.
| Control | Domain | Capability | How it failed here |
|---|---|---|---|
| AUTH-05 | Auth/SSO | Account Recovery & Identity Verification Resistance | Account recovery was the front door. A phone call defeated the entire authentication stack, and the strongest MFA is worth what the reset process behind it is worth. |
| AUTH-04 | Auth/SSO | Phishing-Resistant MFA & Session Integrity | Recovery flows could re-enroll factors without phishing-resistant verification of the person requesting them, so possession of personal details substituted for possession of a credential. |
| PAM-01 Domino | PAM | Admin Credential Protection | Super-admin access in the identity provider was reachable through a standard account-recovery path. Tier-0 identity roles need isolation, dedicated hardened accounts, and step-up verification that a help-desk reset cannot satisfy. |
| SEC-01 Domino | Security | Identity Threat Detection & Response (ITDR) | Post-compromise IdP activity such as factor resets, privileged role use, and federation changes is among the highest-signal telemetry available, and it needed to be caught before the impact became irreversible. |
The Maturity Lesson
What Would Have Changed the Outcome
The Domino Effect
None of MGM’s visible chaos started with malware. It started with an identity process. In AXIS terms, AUTH-05 (account recovery resistance) is where the assessment conversation begins, but PAM-01 (admin credential protection) is the domino: when identity-provider super admins are compromised, the cap on the overall score reflects that every other control now depends on attacker goodwill.
The Maturity Level That Mattered
At level 2 or 3 on AUTH-05, help-desk resets for privileged users require high-assurance verification: callback to a registered device, live ID verification, or manager attestation. Any of those breaks the vishing playbook. At level 3 on PAM-01, IdP super-admin roles live in dedicated, isolated accounts that are not eligible for standard help-desk recovery at all.
Organizations consistently score their MFA technology and forget to score the humans who can override it. A maturity model that does not ask about recovery flows will rate a program strong when a ten-minute phone call can defeat it.
Related Compliance Frameworks
The controls implicated in this breach carry citations in these frameworks within the AXIS bank:
Sources
About This Analysis
This teardown is based exclusively on public disclosures, regulatory findings, and reporting cited above; it makes no claim of insider knowledge about the internal environment at MGM Resorts. Control mappings express how the publicly documented failure points correspond to capabilities in the AXIS methodology, for educational purposes. AXIS is not affiliated with MGM Resorts.
More From the Breach Radar
Would Your Program Have Caught This?
The 4 controls that failed here are questions in the AXIS assessment. Score your organization against them, and the rest of the bank, in about 20 minutes. No signup required to start.