On the morning of Oct. 4, 2023, the BetMGM account on X (formerly Twitter) was inundated with messages from users complaining that they were unable to access their accounts. Given the timing, some speculated that the issues were related to last month’s cyberattack on MGM Resorts International, though that may not be the case.
Bonus contributor Craig Corbeels confirmed that he was having similar issues with his account. He tells me:
I’ve been getting tons of Forgot Password SMS verification codes sent to my phone from BetMGM for at least a week and now can’t log in. Even after changing my password, it still says incorrect and I can’t get in. Not great.
A sampling of user tweets from X from Wednesday morning includes:
@zachM5_: why can I not login to my account? says password incorrect when it’s right.. even reset it and still can’t login.
@Got2bsailn: Why can’t users access their accounts? Are you notifying ppl what to do?
@Jigsaw918: Why can’t we log in? It’s saying my credentials aren’t valid…I’m clearly not the only one
@noonan1515: Quit sending promo tweets and fix the issue most users are experiencing. I’ve changed password numerous times and cannot access my account or get any help from you. @BetMGMCare ncare to actually help??
Prior to publication, Bonus reached out to BetMGM for comment. At around 5 p.m. ET, BetMGM’s Senior Account Director Robert Flicker responded to confirm the account issues and that they had been resolved.
The company’s statement reads:
We are aware of a technical issue earlier today that resulted in some customers experiencing delays or difficulty accessing their accounts. That issue has been resolved.
BetMGM did not provide any information about the cause. However, our colleagues at Legal Sports Report have heard from an unnamed source that the issues were not related to a cyberattack or the MGM hack.
Nature of the Problems
Comparing the experiences of Catena Media employees with the tweets directed at BetMGM’s account, these were the most common problems:
- Receiving an incorrect password message, either upon entering the correct password or when using face ID.
- Being asked to supply one’s date of birth and social security number as an additional security step.
- Receiving password reset messages that the user didn’t actually request.
Despite some panic that can be traced back to a single Facebook user claiming his account had been emptied, Bonus has not seen any evidence that attackers have gained widespread access to any BetMGM user accounts or their balances.
The difficulties being reported appeared consistent with what happens when there have been repeated failed attempts to access an account. That suggested the possibility of a credential-stuffing attack, meaning a brute-force attempt to guess username-password combinations based on data obtained elsewhere. DraftKings experienced such an attack in November 2022, which resulted in the theft of around $300,000 from user accounts.
The pace of tweets directed at the @BetMGM account appears to have abated at around noon ET. That may indicate that BetMGM has dealt with the problem.
MGM, BetMGM Are Separate, But Logins May Overlap
It’s important to note that BetMGM is not operated directly by MGM Resorts. Rather, it is a joint venture between the casino resort company and Entain, which provides the technology. Because of that, the BetMGM app was not initially affected by the cyberattack.
However, it has since come out—through a statement by the hacking group itself—that the goal of the attack was to steal data, not disable systems. ALPHV, which has claimed responsibility, said that the downtime at MGM Resorts was the result of MGM taking its own systems offline as a defensive measure.
If LSR’s source is to be believed, there is no connection between the Oct. 4 BetMGM issues and the September attack on MGM’s systems.
However, BetMGM users are automatically enrolled in MGM Rewards. A list of emails for MGM Rewards members would include those of BetMGM users, so if there had been a credential-stuffing attack, that would likely have been where the attackers had obtained the account information. To be on the safe side, BetMGM users should make sure their passwords are not reused elsewhere, including for their MGM Rewards account.
MGM and Caesars are facing a wave of class action lawsuits over the data breaches—now nine in total. The same hackers responsible for the MGM attack are suspected to be behind the one that affected Caesars. However, Caesars reportedly paid a ransom for its data, and Bonus has not yet seen signs of its users having trouble with their accounts.
Proportion of Affected Users Unclear
Although some BetMGM users have been having trouble accessing their accounts, the problem is not sitewide. Investigation by Bonus suggests that many, perhaps most, are able to log in and bet as usual.
An internal poll of employees at our parent company Catena Media resulted in 23 saying they had no trouble, and five saying they had experienced difficulties today. In most cases, changing their password or supplying additional identifying information corrected the problem. Another Catena Media employee had no trouble logging in but had issues with the withdrawal process, having to restart several times before the app would accept his request.
Another poll, on Twitter/X, shows a much higher percentage of users reporting issues. However, there may be selection bias at play there, if those experiencing issues are more likely to be on social media searching for answers. Ignoring the “Show Results” answer for non-BetMGM users, the breakdown on Oct. 4 was:
- 50% unable to access their accounts
- 30% able to access their accounts after some difficulty
- 20% reporting no issue
Since the apparent resolution of the problem, those ratios have dropped to:
- 40% unable to access their accounts
- 26% able to access their accounts after some difficulty
- 34% reporting no issue