Data protection scandal at Merkur.com AG: Over 800.000 players affected
On March 15, 2025, several Merkur.com AG gambling platforms experienced a sudden outage. The websites of Slotmagie, Crazybuzzer and Merkurbets went into maintenance mode in the afternoon without any initial explanation from the operators. It later emerged that a serious security vulnerability had been discovered, leaving sensitive data of hundreds of thousands of players unprotected online.
The vulnerability, discovered by security researcher Lilith Wittmann, affected over 800.000 players. In addition to personal data, deposits and withdrawals, as well as identity verification information, were also affected. Particularly explosive was the access to more than 70.000 copies of identity cards and other documents used for "Know Your Customer" procedures.
According to Merkur.com AG, the vulnerability persisted for an extended period of time, which means that further unauthorized access cannot be ruled out. High security standards are required in the gambling industry, yet serious negligence in the handling of customer data was evident here.
The affected casinos use software from the Maltese company "The Mill Adventures," whose GraphQL interface was not sufficiently protected. This enabled uncontrolled queries and thus access to sensitive information. Allegedly illegal online casinos using this software were also no longer accessible on Saturday evening.
Reaction from Merkur.com AG
On Saturday evening, Slotmagie and Crazybuzzer were back online around 22 p.m. Merkurbets initially displayed a message indicating an outage of the Transnational Gambling Supervision System (LUGAS). Around 22:30 p.m., players were able to access all three platforms again, but only if they first cleared their cookies or used incognito mode.
Merkur.com AG emphasized that the short-term shutdown of the platforms was related to LUGAS and not directly to the disclosed data breach. However, experts believe it is likely that the operators wanted to gain time to implement security measures.
Players registered with one of the affected casinos should check their bank accounts for unauthorized transactions and be vigilant against possible identity theft. This incident demonstrates the importance of strict authorization management and comprehensive security measures in online gambling.
The revelation of the security vulnerability is likely to draw increased attention from gambling regulators to the affected providers. Regulatory authorities are expected to investigate whether violations of data protection guidelines or legal requirements have occurred. If this is the case, those responsible face severe penalties.
The case once again raises the question of how secure customer data at online casinos actually is. In particular, the use of technologies like GraphQL requires tightly controlled security measures to prevent unauthorized access. In this case, these measures were clearly insufficient – with potentially serious consequences for the affected players.
