Security Vulnerability in Merkur Group: Player Data Breach
Scale of the Breach
Researcher Lilith Wittmann discovered a critical vulnerability in the API of the casinos Slotmagie, Crazybuzzer, and Merkurbets, owned by Merkur Group. A flaw in the system allowed unauthorized individuals to access the personal data of over 800,000 players. The exposed data included:
- Full names of users;
- Game identifiers (used by the GGL regulator);
- Payment data (including IBAN, addresses, and card details);
- Game session information (including IP addresses and device types);
- Copies of identity and address verification documents.
What was particularly concerning was that access to this data could be obtained without authentication through simple API requests.
Payment System Issues
In addition to the personal data breach, a vulnerability was discovered in the system that allowed any user to transfer funds from other players’ accounts. Special URLs could be used to initiate transactions without additional authorization. However, the withdrawal process was complicated by manual verification of requests.
Among the affected payment systems:
| Payment System | Number of Records | Information |
|---|---|---|
| Trustly | over 104k | including IBAN |
| PayPal | 120k | containing emails and addresses |
| Adyen | 128k | including card details and addresses |
| Skrill, Paysafecard, PayLado | tens of thousands | with records including names, phone numbers, and other data |
Response from Merkur Group and the Regulator
According to the company, the vulnerability was fixed on February 28 after notification from GGL. A security audit was then conducted, and third-party experts were engaged to improve data protection.
However, on March 15, there were widespread platform failures, which the operator attributed to a malfunction of the national monitoring system, LUGAS. Users have criticized Merkur for insufficient transparency, as the data breach issue was not made public immediately.
GGL issued an official warning to Merkur, as the company had not conducted the mandatory annual security test required by law.
Consequences of the Data Breach
Data analysis revealed that:
- About 10% of players account for 70–90% of casino revenue, spending over 250 euros per month;
- The breach affected both legal and illegal platforms operating on the “the mill adventures” software;
- Some illegal casinos may be operated from Germany.
Despite legislative measures, security issues in the online gambling industry remain a concern. Experts emphasize the importance of protecting user data and strengthening oversight of casino operators.