What types of data were exposed in the Merkur Group breach?

The breach exposed personal user information (including full names), player IDs used by the German gambling authority (GGL), gaming histories with detailed session data, user device information (IP addresses and browser details), payment information from multiple payment processors, and identity verification documents (including over 70,000 ID scans and address verification documents).

How many people were affected by the Merkur Group data breach?

According to security researcher Lilith Wittmann's findings, the data breach potentially affected over 800,000 individuals across all Merkur Group casino platforms.

What payment data was compromised in the Merkur Group breach?

Payment data from multiple processors was compromised, including: TRUSTLY (104,291 records with IBANs, account holders, partial addresses), PAYPAL (120,900 records with email addresses, partial addresses), PAYLADO (1,971 records with account holders, phone numbers), PAYSAFECARD (26,536 records with names, birth dates, partial addresses), ADYEN (128,965 records with names, IBANs, partial addresses, credit card details), PAYMENT_IQ (31,487 records with names, IBANs/credit card details, partial addresses), and SKRILL (912 records with email addresses).

When was the Merkur Group data breach discovered and reported?

The vulnerability was initially reported to Germany's gambling regulator (GGL) on February 28, 2025, by security researcher Lilith Wittmann. Merkur Group claimed they became aware of the breach on the same day when notified by the GGL and resolved the security vulnerability immediately. The breach was publicly disclosed in a detailed Medium post on March 14, 2025, and Merkur Group began notifying affected users on March 13, 2025.

What third-party services were affected by the security vulnerabilities?

The security issues extended beyond The Mill Adventures' main API to include integrations with third-party services: PaymentIQ (payment processing), DevCode Identity (verification service), and SumSub (Know Your Customer verification). The SumSub integration vulnerability enabled access to over 70,000 ID photos, selfies, and address verification documents submitted during the KYC process.

How did Merkur Group respond to the data breach?

Merkur Group began notifying affected users on March 13, 2025, admitting that 'incorrectly configured interfaces on the merkurbets.de website made it possible for a registered customer to view other customers' data.' The company claimed they resolved the security vulnerability on February 28 when notified by the GGL. Several Merkur casino platforms were temporarily taken offline, displaying maintenance notices. The company engaged external IT security experts to close identified security gaps and enhance internal security protocols.

Incident

Merkur Group Casino data breach exposes information of over 800,000 users

Q: What is the recent data breach affecting Merkur Group?

Merkur Group, a prominent casino operator in Germany, has reported a significant data breach affecting several of its online gambling platforms, including merkurbets.de, crazybuzzer.de, and slotmagie.de. The breach was discovered by security researcher Lilith Wittmann and disclosed in a detailed Medium post published on March 14, 2025.

Q: What caused the Merkur Group data breach?

The breach stemmed from an improperly secured GraphQL interface in the casino backend software provided by Malta-based company 'The Mill Adventures.' This security vulnerability allowed unauthorized access to sensitive user data without requiring authentication. Additionally, a separate vulnerability was discovered in a publicly accessible URL pattern that potentially allowed unauthorized users to initiate deposits and withdrawals from any user account.

Q: What actions did the German gambling authority (GGL) take regarding the breach?

The German gambling authority (GGL) publicly reprimanded the operators for failing to conduct required annual penetration testing of their systems as mandated by the German Interstate Treaty on Gambling. The regulator confirmed they were investigating the matter and had taken steps to secure evidence after being notified by the researcher.

published: March 17, 2025

Learn More

Merkur Group, a prominent casino operator in Germany, is reporting a significant data breach affecting several of its online gambling platforms, including merkurbets.de, crazybuzzer.de, and slotmagie.de.

Security researcher Lilith Wittmann discovered and disclosed the breach in a detailed Medium post published on March 14, 2025, after initially reporting the vulnerability to Germany's gambling regulator (GGL) on February 28.

The breach stems from an improperly secured GraphQL interface in the casino backend software provided by Malta-based company "The Mill Adventures." This security vulnerability allowed unauthorized access to sensitive user data without requiring authentication. Through this vulnerability, the following data was exposed:

Personal user information including full names
Player IDs used by the German gambling authority (GGL) for statistical data collection
Gaming histories with detailed session data including all gambling activities
User device information including IP addresses and browser details
Payment information from multiple payment processors
Identity verification documents including over 70,000 ID scans and address verification documents

Additionally, a separate vulnerability was discovered in an publicly accessible URL pattern (https://api-tma1-prd.themill.tech//pay/launch/payment_iq) that potentially allowed unauthorized users to initiate deposits and withdrawals from any user account, though withdrawals were partially protected by a manual approval process.

The security issues extended beyond The Mill Adventures' main API to include integrations with third-party services:

PaymentIQ (payment processing)
DevCode Identity (verification service)
SumSub (Know Your Customer verification)

The SumSub integration vulnerability enabled access to over 70,000 ID photos, selfies, and address verification documents submitted during the KYC process.

According to Wittmann's findings, the data breach potentially affected:

Over 800,000 individuals across all Merkur Group casino platforms
Payment data from multiple processors including:
- TRUSTLY (104,291 records) - IBANs, account holders, partial addresses
- PAYPAL (120,900 records) - Email addresses, partial addresses
- PAYLADO (1,971 records) - Account holders, phone numbers
- PAYSAFECARD (26,536 records) - Names, birth dates, partial addresses
- ADYEN (128,965 records) - Names, IBANs, partial addresses, credit card details
- PAYMENT_IQ (31,487 records) - Names, IBANs/credit card details, partial addresses
- SKRILL (912 records) - Email addresses

Merkur Group began notifying affected users on March 13, 2025, admitting that "incorrectly configured interfaces on the merkurbets.de website made it possible for a registered customer to view other customers' data." The company claimed they became aware of the breach on February 28 when notified by the GGL and resolved the security vulnerability the same day.

In their communication with customers, Merkur downplayed the severity by noting that the researcher who discovered the vulnerability "has no intention of sharing or misusing the information obtained." The company also engaged external IT security experts to close identified security gaps and enhance internal security protocols.

Several Merkur casino platforms were temporarily taken offline, displaying maintenance notices. The company initially attributed this downtime to issues with LUGAS (Germany's national gambling monitoring system), claiming it was unrelated to the breach.

Update - as of 18th of March 2025, Sumsub has issued a statement clarifying their position on the security incident. Following an investigation, the company states that there have been no data leaks or breaches on Sumsub's side.

According to Sumsub, the security vulnerability was caused externally by a third-party integrator utilized by one of their customers. The issue stemmed from the client's access credentials becoming publicly available "due to the integrator's negligence".

The specific technical issue involved an API misconfiguration flaw in the authentication process created by this third-party integrator. This misconfiguration exposed Sumsub's API tokens intended for user authentication, which subsequently enabled unauthorized access to user data through the API.

The German gambling authority (GGL) has publicly reprimanded the operators for failing to conduct required annual penetration testing of their systems as mandated by the German Interstate Treaty on Gambling. The regulator confirmed they were investigating the matter and had taken steps to secure evidence after being notified by the researcher.

Merkur Group Casino data breach exposes information of over 800,000 users

Read More
Muah.ai AI girlfriend site breached exposing sexual fantasies …
Multiple Dutch ministries hit by data breach
Indian Organ Retrieval Banking Organisation exposes organ donor …
Sui Blockchain's Cetus protocol suffers $200 million exploit
Rackspace reports data breach exposing customer data