In September 2023, the hacking group Scattered Spider breached MGM Resorts by researching an employee on LinkedIn, calling the MGM IT help desk while impersonating that employee, and talking the agent into resetting the account's password and multi-factor authentication. That single phone call gave them a foothold in MGM's identity system. As an affiliate of the ALPHV/BlackCat ransomware operation, they used it to deploy ransomware across MGM's infrastructure, and for roughly ten days the company's slot machines, digital room keys, reservation systems, and more were down. MGM has put the financial impact at around $100 million. Caesars Entertainment was breached by the same group shortly before, and by widespread reporting paid a ransom of about $15 million.
This is the case that put "help-desk social engineering" on every security team's whiteboard. There was no malware delivered by email, no software vulnerability. The entire breach turned on a help-desk agent doing their job (resetting access for an employee who seemed locked out) without a verification process strong enough to catch an impostor.
What happened, in one paragraph
Scattered Spider identified an MGM employee, gathered enough detail about them from public sources to be convincing, and phoned MGM's IT help desk pretending to be that person locked out of their account. In a short call, the agent reset the account's credentials and MFA, handing the attackers working access to MGM's Okta identity platform and, through it, the connected single-sign-on environment. The attackers escalated from there, and as a BlackCat affiliate they deployed ransomware across MGM's virtualised infrastructure, encrypting a large number of ESXi hypervisors. MGM took systems offline, refused to pay, and spent days rebuilding, with guest-facing services degraded across its properties.
The attack chain: help desk to ransomware
The mechanics are almost embarrassingly simple, which is exactly why they matter.
- Reconnaissance. The attackers picked a target employee and built a profile from LinkedIn and other public sources, enough to answer the basic "who are you?" questions a help desk asks.
- The phone call. They called the IT help desk impersonating the employee, claiming to be locked out, and requested a password and MFA reset. The agent, following a verification process that relied on information an attacker can find, complied.
- Identity access. The reset gave the attackers control of the employee's identity in Okta, MGM's single-sign-on hub. Compromising the identity layer is the modern equivalent of getting a master key: it is the thing that unlocks the other systems.
- Escalation and ransomware. The attackers escalated their privileges within the environment and, in their role as a BlackCat/ALPHV affiliate, deployed ransomware that encrypted MGM's virtualised servers. MGM pulled systems offline to contain it.
Okta, the identity vendor, stated that its own systems were not breached. That is the important nuance: this was not a flaw in Okta. It was a failure in the human process around Okta, the help-desk reset, which is the soft underbelly of even a well-built identity platform. Okta had in fact warned customers about exactly this style of help-desk social-engineering campaign around the same period.
The cost
| Figure | What it was |
|---|---|
| ~10 days | Duration of MGM's operational disruption across its properties. |
| ~$100 million | MGM's stated impact, reported in its financial filing as a hit to quarterly earnings (concentrated in September), plus under $10 million in one-time expenses. |
| Refused | MGM did not pay the ransom; it rebuilt instead. |
| ~$15 million | The ransom Caesars reportedly paid, of a larger demand, per widespread reporting. Caesars did not disclose the amount. |
A note on the numbers, because they are easy to misquote: the ~$100 million is MGM's estimate of the earnings impact, not a tidy "cost of the breach" line item, and the Caesars ~$15 million figure comes from reporting rather than a precise disclosed total. The two companies, hit by the same crew within weeks of each other, made opposite calls (MGM rebuilt, Caesars paid) and both ended up bearing heavy costs and a separate disclosure that customer data, including driver's licence and in some cases Social Security numbers for a subset of loyalty members, had been stolen.
Why one phone call worked
The breach is a clean illustration of two ideas from the social engineering taxonomy.
Knowledge-based verification is not verification. If the help desk confirms identity by asking for things an attacker can research or buy (name, employee ID, manager, date of birth), the check is theatre. Scattered Spider's whole method is being well-prepared enough to pass those questions. The only verification that resists this is something the attacker cannot produce on a phone call: a callback to a known number, a manager's confirmation through a separate channel, or a hardware token.
Identity is the new perimeter. Once the attackers owned the employee's Okta identity, single sign-on did for them what it does for legitimate users: it connected them to everything. Centralised identity is good security engineering, but it concentrates risk, so the reset process that can hand someone a new identity has to be the hardest thing in the building to social-engineer, not the easiest.
The attackers: young, English-speaking, persistent
Scattered Spider (also tracked as UNC3944 and Octo Tempest) is notable for not fitting the foreign-state-actor stereotype. Its members are largely young, native English speakers in the US and UK, which is part of why their phone calls land: they sound like the colleague they are pretending to be, with no language barrier to raise suspicion. They operate within the loose online community sometimes called "the Com," coordinate over Discord and Telegram, and pair their social-engineering skill with ransomware affiliates for the payload. Several arrests followed in 2024.
The takeaway is the same as the Twitter hack: the dangerous capability here is not technical wizardry, it is the confidence and preparation to talk a human into one helpful action.
The lessons I take from it
Re-engineer the help-desk reset. This is the specific, actionable fix. Identity-reset requests, especially for MFA, should require verification an impostor on a phone cannot satisfy: a video call confirming identity against a known photo, a callback to a number on record, manager approval through a separate system, or an in-person/hardware step. Treat the reset flow as a privileged operation, because it is one.
Phishing-resistant MFA, and protect the resets. FIDO2 keys raise the bar, but only if losing or resetting them is also hard to social-engineer; otherwise the attacker just targets the reset, which is exactly what happened here.
Segment so identity compromise is not game-over. Single sign-on should not mean single-step access to the most destructive capabilities. Tiered access, just-in-time elevation for admin functions, and isolation of the virtualisation layer would have made the jump from "one reset identity" to "encrypt the hypervisors" much harder.
Have an incident plan that assumes you will rebuild. MGM's refusal to pay was defensible, but it meant a long, painful rebuild. The companies that weather these best have tested backups, a practised recovery runbook, and the organisational nerve to take systems down fast.
Where to go next
This sits in the social engineering taxonomy under help-desk pretexting and MFA abuse. The closest siblings are the Uber breach, where the same MFA-and-pretext pattern reached internal admin secrets, the Twitter hack, the original "phone call to god-mode" case, and the Robinhood breach, another support-tool compromise that started on the phone.
Sources
Authoritative references this article was fact-checked against.
