A significant security breach at Merkur, one of Germany’s largest gambling companies, has raised alarms over data protection. The breach potentially exposed the personal data of up to 800,000 players across several of Merkur’s gambling platforms, including Slotmagie, Crazybuzzer, and Merkurbets. Security researcher Lilith Wittmann first brought attention to the incident through a blog post published on March 14, alleging that the breach stemmed from an unsecured GraphQL interface. This vulnerability reportedly allowed unauthorized users to access sensitive data, including full names, account details, gaming histories, and transaction records.
Wittmann discovered that the unsecured API left extensive personal information vulnerable to exposure, including identity verification documents like ID cards and letters from employment agencies.
Merkur had notified its customers about a data exposure issue on March 12, and the company later confirmed that the breach was caused by improperly secured interfaces on its merkurbets.de website. Wittmann reported the findings to Germany’s gambling regulator, the GGL, which helped facilitate the collection of evidence.
The breach’s scope included over 70,000 copies of ID cards, with more than 800,000 individuals potentially affected, though these figures have yet to be independently verified.
Merkur responded swiftly by stating that it had resolved the security vulnerability on February 28, the same day it was notified by the GGL. The company clarified that its service provider was the target of a cyberattack, although it emphasized that the attackers had no intention of misusing or sharing the data. Merkur engaged external IT security experts to close the security gaps, optimize systems, and enhance employee training. The company also increased internal security measures and conducted security audits. Despite these efforts, some players remained concerned about the breach, particularly given that several online casinos using Merkur’s software were unapproved by the GGL.
The breach also caused several platforms, including Slotmagie, Crazybuzzer, and Merkurbets, to experience unexpected outages. Merkur initially attributed these disruptions to issues with LUGAS, Germany’s national gambling monitoring system, and insisted that the outages were unrelated to the cyberattack. However, some users questioned the timing of the outages, expressing frustration over the company’s handling of the incident. As of March 15, 2025, the platforms were restored, but players continued to worry about the misuse of their personal data. Merkur has urged players to remain vigilant and monitor their accounts for potential fraudulent activity.
Reference:
