Do you recall what you were doing at age 15?
I would not be surprised if you said trying out new activities, clubs, relaxing, or working. A teenager, only 15 years old at the time, allegedly took working to a different level, contributing to a casino operator losing around $100 million through a series of cyberattacks.
Cyberattacks are Indifferent
When most people think of cyberattacks, they imagine complex campaigns from faraway groups. That is not the full picture. Cyberattacks are indifferent to who you are and where you are. Consider this: a 15-year-old boy, now 17, has been accused of helping attack one of the largest casino operators in the world, MGM Resorts International.
The teenager allegedly helped cause havoc in a multibillion-dollar industry using voice phishing and service-desk social engineering. Instead of dropping malware first, attackers won trust, phoned the help desk, and reset passwords after identifying staff through LinkedIn.
You might ask yourself, “How did no one catch the problem beforehand?”
The Speedy Rise of Voice Phishing
It is not easy to catch this kind of problem in real time. While defenses vary, vishing has improved fast. Today, one convincing call to IT support can be enough to start privilege escalation and move inside identity platforms. That is exactly why recent analyses of the MGM incident focus on the initial help-desk social engineering and weak verification at the service desk.
The media focused on the age of the suspects because it is surprising, but do not miss the technique: find an employee on LinkedIn, impersonate them credibly, then push for a reset or session hijack. It is social engineering, not magic.
While this incident occurred on a large scale, that doesn’t mean something of a small scale can’t happen to you. Make sure you keep yourself safe!
How to Keep Yourself Safe
- Remove or disable apps you do not use. Fewer apps mean fewer outdated permissions and fewer targets.
- Store passwords in a trusted password manager, not phone notes or paper. If one login is stolen, a manager makes unique passwords practical, and one breach will not open everything else.
- Back up important data in two places, for example, one external drive and one reputable cloud service. Test restore occasionally so you know backups work.
- Use WPA3 on home Wi-Fi if your router supports it, and change the default admin credentials.
- Turn on multifactor authentication for email, banking, and any account that touches money or identity.
- Teach a help-desk password-reset rule for your family or small business: no changes on voice alone; require a known out-of-band check, such as an app prompt or a code sent to a pre-registered number. (This directly counters the MGM-style playbook.)
Sources
- ‘Sophisticated’ $100M cyberattack on Vegas Strip involved teen hacker: police
- MGM Resorts hack: How attackers hit the jackpot with service desk social engineering
- Cloud Storage vs External Hard Drive: Advantages & Disadvantages in 2025
