Merkur has been targeted by a cyberattack that allegedly revealed sensitive data belonging to hundreds of thousands of gamblers
A recent cyberattack on Merkur, one of Germany’s most iconic gaming operators, has triggered serious concerns regarding data protection.
The attack allegedly compromised the personal data of players on several operator sites, including Slotmagie, Crazybuzzer, and Merkurbets.
Security researcher Lilith Wittmann first revealed the breach in a Medium blog post on March 14.
Unsecured API Made Sensitive Information Available
Wittmann believes that an improperly unsecured application programming interface (API) was the culprit for the leaked information that included full names, account details, and gaming history, accessible to unauthorized users.
Among the leaked data were identity verification documents, such as over 70,000 ID card copies and employment letters.
The researcher contacted the country’s gambling regulator, the GGL, informing them that an estimated number of 800,000 individuals may have been affected by the leak, though these numbers have remained unverified.
Merkur’s platforms reportedly use software from The Mill Adventure, a Malta-based company. Wittmann suggested that security gaps in this software could be partly responsible for the breach.
Some casinos using it were not included in the GGL’s whitelist.
Merkur Advised Caution
Merkur informed customers of a “data protection case” and advised caution against fraud.
The company explained that despite its “extensive security measures,” the IT system of one of its service providers was hacked.
Their investigations into security vulnerabilities revealed that “incorrectly configured interfaces on the merkurbets.de website made it possible for a registered customer to view other customers’ data.”
“However, to the best of our knowledge, these activists have no intention of sharing or misusing the information obtained,” explained Merkur.
The operator with close to 15,000 global employees became aware of the breach on February 28, after being notified by the GGL.
On the same day, says Merkur, they fixed the vulnerability, implementing security audits, regulatory reports, and additional internal safeguards.
External IT security experts have since been engaged to improve overall protection.
Wittmann, an “Ethical Hacker”
In a response for NEXT.io, Merkur further highlighted the serious nature of the cyberattack and added that, according to their current knowledge, “Lilith Wittmann is not a ‘data thief,’ but a so-called ‘ethical hacker.’”
In a statement to Heise online, the company explained they were also “forced” to temporarily take down their systems on March 15, a measure that was “not related to the cyberattack on their service provider.”
Meanwhile, the GGL confirmed a technical issue in the LUGAS system, Germany’s national gambling monitoring system, temporarily blocking new registrations and deposits at online casinos on Saturday.
Existing players with balances could still continue playing.
Frustrated Merkur users raised security concerns in online forums, questioning data retention and the company’s response.
One user called it “a scandal,” accusing Merkur of downplaying the issue.
In mid-February, Merkur was slapped with a $120,000 fine in the UK because of a series of social responsibility failings.
