Online casinos such as "Slotmagie" offline after data loss
German online casinos of the Merkur Group shut down their games on Saturday. Before this, most private data of hundreds of thousands of people was accessible.
The online casino "Crazy Buzzer" has created a comic homepage for the maintenance work.
(Image: Crazy Buzzer, Screenshot: heise online)
On the afternoon of March 15, 2025, the websites of online gambling providers Slotmagie, Crazybuzzer and Merkurbets went into maintenance mode. They belong to Merkur.com AG, one of the largest German companies for gambling of all kinds. According to observations by heise online, the games went offline on Saturday afternoon between 2 and 4 pm. The websites are still accessible, but games are no longer possible at the time of this report.
The evening before, security researcher Lilith Wittmann had pointed out a massive data protection problem that had existed until shortly before in a blog post: Numerous data from several hundred thousand players could be accessed via the casinos' APIs. The provider had already informed players on Thursday about a security vulnerability and the associated data outflow on Thursday evening.
Unsecured GraphQL
A GraphQL interface is used there, which also allows nested retrievals of several objects at the same time. Unauthorized queries should actually be prevented by a functioning authorization management system, but this was not the case here. Wittmann not only found data such as full names and account information, but also game histories and players' deposits and withdrawals. For many of them, information was also found with which they legitimized themselves to the gambling provider.
According to the reports that Wittmann used to inform the state gambling authorities (GGL), and which were made available to heise online, they also included copies of ID cards and letters from employment agencies. Over 70,000 copies of ID cards alone are said to have been found, with data on over 800,000 people in total. Legitimization of customers, including through ID cards, is a legal requirement for some online providers as part of "Know-Your-Customer" (KYC) procedures.
Videos by heise
All casinos with software from "The Mill" offline
The Merkur Group uses portal software from the Maltese company "The Mill Adventures" in its casinos. This had an inadequately protected GraphQL interface. According to Wittmann, the company operates a legal instance of its software as well as another for some online casinos that are not legal in Germany. Following spot checks early on Saturday evening, these presumably illegal casinos are also no longer accessible for the time being.
Why all casinos with The Mill software are now apparently no longer accessible remains unclear for the time being. The warnings issued by the Merkur Group on its website and by e-mail about a so-called "current data protection case" can only be endorsed: Anyone who was or is a customer at one of the casinos should pay increased attention to potentially illegal activity on their bank accounts or attempts at identity fraud.
As Lilith Wittmann told heise online, direct and anonymous access to the data has no longer been possible for a few days. However, it cannot be ruled out that others may have copied the casinos' treasure trove of data prior to their access since the end of February.
(nie)
