Leading sports betting company BetMGM has disclosed a data breach after a malicious actor stole personal information belonging to an undisclosed number of customers.

Although the personal information stolen in the attack varied for each customer, the attackers obtained a wide range of data, including names, contact information (such as mailing addresses, email addresses and phone numbers telephone), dates of birth, hashed social security numbers, account identifiers (such as player IDs and screen names), and information relating to transactions with BetMGM.

The company added that it discovered the incident in November 2022, but believes the breach occurred in May 2022.

“BetMGM currently has no evidence that customer passwords or account funds were accessed as part of this issue,” a press release posted on Wednesday. said.

“BetMGM’s online operations have not been compromised. BetMGM is coordinating with law enforcement and taking steps to further enhance its security.”

In breach notification letters sent on December 21, 2022, customers were asked to watch for “unsolicited communications” and “suspicious activity” related to their personal information.

A spokesperson for BetMGM did not respond to an email sent by BleepingComputer today, requesting further information on the number of customers affected.

More than 1.5 million BetMGM customers are said to have been affected

Although the betting company has yet to disclose the number of customers whose information was stolen in the May breach, the likely attackers are already selling it online.

“We hacked BetMGM’s casino database as of November 2022,” says the threat actor named “betmgmhacked” who posted the stolen information for sale on a hacking forum yesterday.

“The database includes all BetMGM casino customers (over 1.5 million) as of November 2022 from MI, NJ, ON, PV and WV. Any customer who placed a casino bet included in this database. “

According to the threat actor’s message titled “BetMGM.com Casino Database Breach”, BetMGM’s stolen customer information database allegedly contains 1,569,310 user records.

It also claims to include datasets belonging to players from BetMGM casinos in New Jersey and Pennsylvania, as well as a “Master Casino” dataset containing customer information from all states (all customer records include the phone number, email address, and address information, according to the threat actor).

BetMGM, based in New Jersey, is a sports betting operator founded in 2018 as a joint venture between the American hospitality and entertainment company MGM Resorts International and Entain plc, one of the largest sports betting and games in the world.

BetMGM’s portfolio of sports betting and online gaming brands includes BetMGM, Borgata Casino, Party Casino and Party Poker.