The hotel chain has confirmed that the personal information of up to 10.6 million people, including Justin Bieber and Twitter's Jack Dorsey, who have stayed at MGM Resorts hotels over the past several years, has been posted to an online hacking forum.

The compromised information includes 10,683,188 guest records, including full name, address, e-mail address, phone number, and date of birth, although not all records appear to hold data for each category.

It is unclear if these numbers represent the total number of individuals affected or if repeat guests are counted multiple times.

The stolen data did not include credit card numbers or passwords, but there is more than enough information there to give identity thieves and SIM swappers a solid start. (Dorsey may have been the victim of a SIM swapping attack last August.)

The HaveIBeenPwned website has already added the 3.1 million email addresses involved.

It is unclear when the data was stolen, but ZDNet, which was tipped off that the data was posted on a hacking forum and analyzed the data with the help of security firm Under the Breach, concluded that none of the data was collected after 2017.

ZDNet was able to verify the validity of some of the records by contacting the individuals named through the phone numbers and email addresses listed in the data.

If you stayed at an MGM Resorts hotel in the years leading up to 2017, the best thing to do would be to use AnnualCreditReport.com to diligently obtain a free credit report every four months.

You should also contact your cell phone company and ask if they can add a PIN lock to your account so that you cannot port your number to another phone without a PIN.

If you are truly concerned, consider an identity protection service such as IdentityForce, LifeLock, or IDShield.

MGM Resorts confirmed the data theft yesterday (February 19) when ZDNet contacted the company. The company admitted that it learned of the information breach last summer, but ZDNet reports that it has notified affected individuals, to the extent required by local law.

"Last summer, we discovered unauthorized access to a cloud server containing limited information on certain past guests of MGM Resorts," MGM told ZDNet." We are confident that no financial, payment card, or password data was involved in this matter."

"We are confident that the information was not compromised.

It is not clear why the public is only now learning about this. Many states require mandatory disclosure of data breaches to residents, although the type of data subject to notification varies from state to state.

Still, given the nature of the breach and the number of people involved, it is unlikely that the stolen data could have escaped wider scrutiny.

Similarly, MGM Resorts did not suggest compensating affected individuals with free credit monitoring, as most companies do after a data breach.

MGM Resorts' hotels include many well-known Las Vegas hotels, such as the MGM Grand, Aria, Bellagio, Excalibur, Luxor, Mandalay Bay, New York New York, Park Hotel, Vdara Hotel, and others, such as CES and Black Hat The company hosts thousands of technology professionals each year for annual conferences such as CES and Black Hat.

The company also operates the MGM National Harbor Resort near Washington, D.C., the MGM Springfield Casino and Resort in Massachusetts, the MGM Grand Detroit, the Borgata in Atlantic City, and the Tunica, Mississippi, near Memphis The company also operates the Gold Strike Casino Resort.