The Breach Beneath the Surface: Inside Merkur’s Silent Data Exposure

When a quietly published blog post exposed a critical lapse in one of Germany’s most prominent gambling platforms, the full scale of the oversight — and its impact on over 800,000 players — was impossible to ignore. This is a report about the data left unguarded, the delayed response, and what it reveals about the state of cybersecurity in regulated gambling

On February 28, 2025, German security researcher Lilith Wittmann stumbled upon a shocking vulnerability in Merkur Group’s online casino platforms. What she found was effectively an open vault of player data. Wittmann quietly reported the issue to Germany’s gambling regulator that same day, allowing authorities to secure evidence before she went public. Two weeks later, on March 14, she published an explosive Medium blog post detailing the breach. Titled “Casino users of the Merkur Group not only lose their money but also their data,” her report described how nearly all data in Merkur’s casino backend had been left exposed online – “a data treasure trove for research, and a disaster for the users,” as Wittmann put it.

Wittmann’s disclosure set off alarms. By the next day (March 15), Merkur’s affected casino sites – including Slotmagie, CrazyBuzzer, and MerkurBets – abruptly went into maintenance mode. For several hours that Saturday, customers found only error messages or “down for maintenance” notices instead of slot games. Later that night, the sites gradually came back online – but not before Merkur claimed an external system outage was to blame for the downtime. (More on that curious excuse in a moment.)

The Technical Breakdown: Unsecured APIs Spill Everything

How could such an expansive leak happen? The short answer: glaring holes in an API. Merkur’s German online casinos all rely on a central platform from Maltese provider The Mill Adventure. Wittmann discovered that a GraphQL API endpoint in this casino backend was left completely open – no login required. By crafting extremely large queries to this API, she (or anyone) could pull down entire databases of user information. This wasn’t a subtle bug either: the API had query names like “users,” “sessions,” and “paymentOptionsV2,” and would cheerfully return whatever was asked – all without any authorisation check. In other words, Merkur’s backend was essentially publish-and-read for anyone who knew where to look.

Through this leaky GraphQL interface, virtually every sensitive detail about players was downloadable. Wittmann demonstrated access to: full names, account usernames, and internal player IDs; detailed game session logs (every bet or spin), including players’ IP addresses and device details; and extensive financial records. Even more alarming, the breach exposed troves of payment data across multiple payment providers. This included bank account and transaction details from services like Trustly, PayPal, Paysafecard, Skrill, and others – totaling hundreds of thousands of payment records. In many cases, these entries contained partial home addresses, emails or IBANs linked to player accounts.

Perhaps the most disturbing find was the cache of identity verification documents left unprotected. Over 70,000 files of KYC (Know Your Customer) data – scans of personal IDs, selfies, and address proofs that players had uploaded – were sitting on an unlocked server. “Players use the most private documents to prove their identity” in online gambling, Wittmann noted, which made it all the more outrageous that these were accessible to anyone. The leak essentially offered up a complete profile of each affected gambler, from their name and address down to their betting history and passport scan.

And it didn’t stop at just viewing data. Wittmann found she could even initiate financial transactions on user accounts. A separate API endpoint (a payment service URL used by The Mill’s system) was publicly reachable, allowing any person to trigger deposits or withdrawals on behalf of any user just by plugging in a user’s ID. While withdrawals required manual approval in some cases, Wittmann discovered at least one scenario where an unauthorised cash-out succeeded. In a darkly comic twist, her testing inadvertently siphoned about €200 (in cryptocurrency) from a test account of an unlicensed casino – “I have successfully relieved an illegal casino of 3 Litecoin,” she wrote, noting the transfer only after the fact. In short, the vulnerabilities were both broad and deep: not only could intruders vacuum up personal data, they might also steal funds or tamper with player accounts under the right circumstances.

Scope of the Breach: 800,000 Players Exposed

By all accounts, this was one of the largest gambling data breaches in Germany to date. Wittmann’s report indicated that over 800,000 individual players’ records were exposed across Merkur’s various platforms. Merkur’s casinos cater to a huge user base, and it appears a significant share of them had their info caught up in this incident. The sensitive data spanned years of operations and multiple brands, given that Merkur’s online sites share the common backend.

The types of data involved were comprehensive:

• Personal details – Full names of players and in some cases their usernames or nicknames.

  
  

• Government IDs and documents – Scans of ID cards, passports, and even letters (e.g. from employment offices) used for verification, numbering over 70,000 files.

  
  

• Account and financial data – Bank and payment information linked to accounts. Records included IBAN bank account numbers, account holder names, birth dates, emails, partial addresses, and even some credit card details, depending on the payment provider. Transactions through at least seven payment providers were exposed, such as Trustly (with ~104,000 records of IBANs and names), PayPal (~120,900 records of emails and addresses), Adyen (~128,965 records including card details), and others.

  
  

• Betting and play history – Every session and bet a player made, including timestamps and game details, as well as the IP address and browser info they used while playing.

  
  

• Account status data – Internal metadata like each player’s unique ID (used by the regulator’s monitoring system), their self-exclusion registration time (LUGAS timestamp), last login time, account limits and settings, etc.

In essence, if you had an account on Merkur’s Slotmagie, CrazyBuzzer, MerkurBets (or affiliated platforms) in recent years, nearly everything about your account was laid bare. Such a haul of information could be a gold mine for cybercriminals – enabling identity theft, targeted phishing (knowing exactly where and how someone gambles), or fraud against payment accounts. It’s a nightmare scenario for users, who now must worry about where that data might end up. As one frustrated Merkur customer wrote on a forum amid the revelations, “a scandal,” accusing the company of downplaying the issue while their personal info hung in the wind.

Merkur’s Response: Swift Fixes, Slow Acknowledgment

Merkur (Gauselmann Group) scrambled into damage-control mode once the regulator and Wittmann had the goods. Internally, as soon as the authorities alerted Merkur at the end of February, the company says it patched the specific vulnerability on the same day (Feb 28). By early March, Merkur had also engaged external IT security experts to audit and fortify their systems. In other words, the technical hole was quietly closed weeks before the public knew – but millions of data records had already been sitting exposed for who knows how long.

Merkur formally began notifying affected players on March 13, 2025, one day before Wittmann went public. In an email to users (later mirrored on its websites as a public notice), the company admitted a “data protection incident” had occurred. However, the tone of Merkur’s message was notably defensive. The notice emphasised that the breach was the result of a “cyberattack on the IT system of one of our service providers”, and that despite “extensive security measures” it had taken, a “so-called ‘white hat’ hacker” managed to gain access. Merkur was careful to paint Wittmann in a positive light – calling her an ethical hacker acting without malicious intent – and reassured customers that “to the best of our knowledge, [the] activists have no intention of sharing or misusing the information obtained.” In plain terms, yes, someone accessed a bunch of your data, but don’t worry, she’s one of the good guys.

Crucially, Merkur’s notice claimed that due to a “faulty configured interface” on its site, it was “possible for a registered customer to view other customers’ data”. This rather mild phrasing glossed over the reality: in truth any internet user (not just a logged-in customer) could query the data, and the amount of information viewable went far beyond “other customers’ data” – it was basically all customers’ data. Merkur also asserted that accessing the info “required a particularly high level of technical expertise and bypassing of various security measures”. (Wittmann would likely beg to differ; she described the flaws as embarrassingly easy to find, saying “we’re not talking about a few accidentally left-open gaps here”.

When questioned by press, the parent company Gauselmann Group doubled down on certain narratives. A Merkur spokesperson told Heise Online that the March 15 casino outages were forced by an unrelated issue – specifically, they blamed an unexpected failure in the LUGAS gambling oversight system for knocking their sites offline, “having nothing to do with the cyberattack on our service provider”. (There was indeed a short LUGAS glitch that day, according to the regulator, but other casino operators weren’t completely offline – making Merkur’s full shutdown look more like an extreme precaution or an attempt at misdirection. Merkur’s statement also highlighted that they consider Wittmann an “ethical hacker, not a data thief,” implicitly casting the incident as a contained security exercise rather than a malicious breach.

To their credit, Merkur says they have since implemented additional safeguards, security audits, and internal protocols to prevent a repeat of such an incident. As of mid-March, all affected platforms were back online and operating normally. Still, the company’s communications struck many as downplaying the severity – focusing on how trustworthy the hacker was, instead of fully owning the lapse that allowed this disaster in the first place.

Regulators Weigh In: Reprimands and Investigations

The Gemeinsame Glücksspielbehörde der Länder (GGL) – Germany’s unified gambling regulator – had a front-row seat to this incident, thanks to Wittmann’s approach. After verifying the security gaps and securing forensic evidence, the GGL took a rare public action. On March 17, 2025, it issued an official public reprimand (“Öffentliche Abmahnung”) against the involved parties. Specifically, the GGL called out Merkur’s Malta-based operating subsidiaries (such as Cashpoint Malta Ltd., which operates Merkur’s online betting and slots under German license) and the platform provider The Mill Adventure for failing to meet basic IT security obligations. Under Germany’s gambling law, licensed operators must conduct annual penetration tests and adhere to OWASP security standards – something Merkur’s team had evidently neglected. The regulator’s notice bluntly stated that this lapse “led to a lack of security for player data” on Merkur’s websites, with exposed data including player IDs, names, addresses, bank details (IBANs), login records, and more.

The GGL’s reprimand wasn’t just a scolding in the newspaper; the companies were placed on a public warning list on the GGL site – essentially naming and shaming them for the breach. The Mill Adventure and its partner operators were instructed to remedy the security failures by June 2025 or potentially face further action. The regulator noted, however, that by late March the immediate vulnerabilities had been fixed and “the regulatory violations had since been resolved.” GGL officials also confirmed they were investigating the incident in depth. Notably, they secured evidence before Merkur could tamper with anything, and they probed whether other platforms (including unlicensed casino sites running on the same software) were affected.

As for data protection authorities, there has been no public statement yet from Germany’s or Malta’s privacy regulators, but GDPR looms large in the background. Leaking hundreds of thousands of individuals’ personal data – including IDs and financial info – is a serious breach under EU law, mandating disclosure to data protection agencies. It’s almost certain that notifications have been filed. Whether fines or legal consequences will follow is an open question. (One legal expert told industry media that the GGL itself might have inadvertently been at risk, since the exposed player IDs could be used to query additional personal data from the regulator’s own systems via GDPR requests. This somewhat convoluted scenario underscores how far-reaching the implications of the leak could be.)

Industry & Community Reaction: “Do They Even Care?”

News of the Merkur breach has reverberated through both the cybersecurity community and the gambling industry. To security professionals, the case is a textbook example of how not to secure an API. Exposing such vast amounts of data with no auth is “unbelievably negligent,” as many observers noted on social media. Wittmann herself did not mince words about Merkur’s practices. In an interview after the story broke, she criticised the operator’s lax stance: “They didn’t give a damn about the security of the players’ data,” Wittmann told Heise, adding that this wasn’t a minor bug but an array of serious failures. Fellow researchers lauded her approach of involving regulators first – a move that likely prevented evidence from being destroyed or quietly swept under the rug by the company. There’s also an undercurrent of irony noted by commentators: Merkur Group had publicly championed responsible gambling and distanced itself from “grey market” casinos, yet its own security oversights ended up exposing data across both its legal and some illegal platforms running the same software.

Within the online gambling sector, the incident has sparked uncomfortable questions. Could other operators be harboring similar vulnerabilities? If a major name like Merkur (with all its resources and regulatory oversight) fell asleep at the wheel, what about smaller operators? Industry publications have pointed out that this breach “raised questions around the risks associated with cyber-attacks on the sector” and whether player data is truly secure in online betting. The fact that a third-party platform (The Mill Adventure) was at the heart of the issue also puts a spotlight on the supply chain: many online casinos outsource their core software, and a single weak link there can cascade into a disaster for multiple brands. The Mill Adventure has since called the breach “an unprecedented event for our systems” and says it “took immediate action” alongside top cybersecurity experts to fix the flaws. Such assurances, while welcome, do little to erase the black eye this event has given the involved companies.

Regulatory and legal voices are also weighing in. The GGL’s public reprimand is one thing, but industry experts predict that harsher penalties could still follow. The range of possibilities includes fines, enforced license conditions (like third-party audits), or even temporary suspension of operating licenses if regulators found gross negligence. “They could choose to suspend the licences… with immediate effect,” one legal expert noted, though that would be a nuclear option. More likely, Merkur will be under tight scrutiny for the foreseeable future – any further misstep could trigger severe regulatory consequences.

Meanwhile, players are left to deal with the fallout on a personal level. Merkur’s notice to customers advised them to exercise caution against possible fraud – a tacit admission that their info might be misused by unknown third parties. Security experts echoed this: if you had an account on these sites, watch your bank statements, and be alert to potential identity theft or phishing attempts. It’s cold comfort, considering that users had no hand in this mess beyond trusting the casino with their data. “Check your accounts and maybe take a break from online gambling for a bit” seems to be the prevailing advice.

Ongoing Fallout and What’s Next

As of late March 2025, the immediate crisis has been contained – the data is no longer openly accessible, and Merkur’s casinos are back online. But the repercussions are far from over. Investigations are ongoing: the GGL is delving into how this breach occurred and evaluating Merkur’s remediation steps, while likely coordinating with data protection officials on the privacy side. Potential lawsuits could emerge as well; with 800,000+ affected individuals, the door is open for class-action complaints or claims for damages if any of those people suffer losses due to the leak. Gauselmann Group will have to regain the trust of both regulators and its customer base, a task easier said than done.

This incident also serves as a wake-up call for the gambling industry. It highlights the importance of rigorous security testing – remember, one of the glaring findings was that Merkur’s operations had skipped required yearly penetration tests. That’s likely to change now, not just for Merkur but for all operators who took note. Regulators, too, might toughen their stance, conducting surprise security audits or mandating proof of robust data protection measures. As for the players, they can only hope that the stewards of their data (casinos and regulators alike) truly learn from this debacle.

In the end, Merkur’s data breach was a perfect storm of complacency meeting opportunity. It took a vigilant outsider to uncover it. The timeline – from Wittmann’s quiet report to the regulator, to the public exposé and the scrambling that followed – reads almost like a heist movie in reverse: the treasure was sitting in plain sight, and the alarm was raised not by the guards, but by a concerned citizen. The coming months will show whether Merkur and its peers will shore up their defences or become cautionary tales in cybersecurity textbooks. One thing is certain: the cost of this breach will be measured not just in regulatory fines or IT budgets, but in the shaken confidence of players whose most private data was treated with so little care.

Sources: Lilith Wittmann’s original Medium report (Casinonutzer der Merkur-Gruppe verlieren nicht nur ihr Geld sondern auch ihre Daten | by Lilith Wittmann | Mar, 2025 | Medium) (Casinonutzer der Merkur-Gruppe verlieren nicht nur ihr Geld sondern auch ihre Daten | by Lilith Wittmann | Mar, 2025 | Medium); Heise Online coverage ( Online-Casinos wie "Slotmagie" nach Datenverlust offline | heise online ) ( Online-Casinos wie "Slotmagie" nach Datenverlust offline | heise online ); GGL public reprimand notice (Glücksspiel-Erlaubnisinhaber | Öffentliche Abmahnungen | GGL – Gemeinsame Glücksspielbehörde der Länder (AöR)); industry analyses and news reports (Is player data secure? Merkur’s breach raises questions) (Merkur Information Leak Raises Concern Over Data Protection); Merkur Group’s customer notice and statements (Merkur Information Leak Raises Concern Over Data Protection) (Merkur Information Leak Raises Concern Over Data Protection); and additional reporting by Gaming Eminence.