A major data breach has hit Merkur, one of Germany’s biggest gambling firms. The company reported that personal data from up to 800,000 players may have been exposed.
Several platforms were affected, including Slotmagie, Crazybuzzer and Merkurbets.
Researcher uncovers breach and alerts the authorities
The issue became public after security researcher Lilith Wittmann posted findings online. She discovered an unprotected API on Merkur’s systems.
She said this weakness allowed access to full names, account data, gaming history and payment records. Identity documents, like ID card copies and job agency letters, were also at risk.
Fault traced to insecure software interface
Wittmann pointed to a poorly secured GraphQL interface. It lacked access controls. This made it possible for outsiders to view user data without permission.
She reported the flaw to Germany’s gambling regulator, the GGL. She estimated that over 70,000 ID card copies were accessible, but this has not been verified by officials.
Software used from external provider in Malta
The platforms used software from a provider called The Mill Adventure. This Malta-based company now faces scrutiny.
Wittmann warned that their systems had more flaws and noted that some casinos using the software were not on the GGL’s official whitelist.
Merkur reacts with statements and fixes
Merkur issued a warning to its users by email and website. It called the situation a “data protection case” and advised players to watch for fraud.
The company said the flaw was due to misconfigured interfaces on merkurbets.de. It stated a registered user could see data from others.
Merkur claims that it was told about the breach on 28 February by the GGL. Their tech team fixed the issue the same day.
Company increases its internal security
Merkur has taken more steps to strengthen its systems. These include audits, expert consultations and staff training.
They also notified the relevant data protection authorities. Merkur stressed that the hacker had not misused the data and called her an “ethical hacker.”
The Mill Adventure also comments on the incident
A spokesperson for The Mill Adventure said they acted fast. They worked with cybersecurity experts to close the gaps.
The company promised stronger protection for players going forward.
System downtime adds to user frustration
On 15 March, players reported outages across Merkur platforms. The company blamed LUGAS, Germany’s national gambling system.
It said the outages were unrelated to the data breach. The GGL later confirmed that LUGAS had suffered a technical error.
Players respond with criticism and concern
Users on gambling forums voiced anger. Some asked why data like video verification images were still stored.
Others accused Merkur of downplaying the issue. One user wrote: “It’s a scandal, and Merkur is playing the whole thing down as if it were a minor matter.”