The IT Blog<h2>Casino Data Jackpot – For Hackers: Merkur’s API Disaster</h2><p>A couple of days ago, I saw a Mastodon post from <a href="https://mastodon.social/@Lilith@chaos.social" rel="nofollow noopener" target="_blank">Lilith Wittmann</a> in my timeline. She linked to an article on her <a href="https://lilithwittmann.medium.com/casinonutzer-der-merkur-gruppe-verlieren-nicht-nur-ihr-geld-sondern-auch-ihre-daten-ef6710184f7c" rel="nofollow noopener" target="_blank">Medium page</a> detailing a catastrophic security failure at Merkur AG. You can find the original Mastodon post <a href="https://chaos.social/@Lilith/114161491881300469" rel="nofollow noopener" target="_blank">here</a>.</p><blockquote><p>The casino company Merkur AG and its service providers have made almost all the data available in their casino systems publicly accessible. This includes payment data, gaming sessions, and copies of the ID cards of over <strong>one million</strong> players.</p><p>Lilith Wittmann’s <a href="https://lilithwittmann.medium.com/casinonutzer-der-merkur-gruppe-verlieren-nicht-nur-ihr-geld-sondern-auch-ihre-daten-ef6710184f7c" rel="nofollow noopener" target="_blank">Medium Post (German)</a></p></blockquote><p></p><p>Oh wow. Losing data of <strong>a million customers</strong> is bad enough. To make things worse, they also integrated third-party services like Sumsub for Know Your Customer (KYC) checks. So, the leak also includes over<strong> 70,000 ID photos, selfies and proof of address</strong> from the KYC process.</p><p>A perfect setup for identity theft. What a mess!</p><p>All this was possible due to a <strong>unprotected GraphQL API</strong> endpoint.</p><h3>Let’s learn from this!</h3><p>For Merkur it is a massive damage. For us it is a lesson we can learn from: This breach is a good example of why <strong>securing APIs should be a top priority</strong>. Some simple steps that could have prevented this:</p><ul><li><strong>Never expose internal APIs to the public internet unless absolutely necessary.</strong> If an API must be public, it should have strict access controls, rate limits and maybe even IP-restrictions.</li><li><strong>Put sensitive systems in a private subnet.</strong> Even if an API is misconfigured, at least it won’t be wide open to the world.</li><li><strong>Use proper authentication, authorization, and role-based access control.</strong> A single user or role should never have unrestricted access to all sensitive data. Access should be limited to only the necessary fields for a given role.</li><li><strong>Regular security audits.</strong> If you’re handling sensitive data, you better have security experts regularly pentesting your systems.</li></ul><p>Obviously, a lot went wrong here. <strong>Let’s try to do better</strong> and avoid this kind of disaster in our own projects.</p><p><a href="https://www.locked.de/casino-data-jackpot-for-hackers-merkurs-api-disaster/" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">locked.de/casino-data-jackpot-</span><span class="invisible">for-hackers-merkurs-api-disaster/</span></a><br><a rel="nofollow noopener" class="hashtag u-tag u-category" href="https://www.locked.de/tag/hacking/" target="_blank">#hacking</a> <a rel="nofollow noopener" class="hashtag u-tag u-category" href="https://www.locked.de/tag/identitytheft/" target="_blank">#IdentityTheft</a> <a rel="nofollow noopener" class="hashtag u-tag u-category" href="https://www.locked.de/tag/merkur/" target="_blank">#Merkur</a> <a rel="nofollow noopener" class="hashtag u-tag u-category" href="https://www.locked.de/tag/merkurbreach/" target="_blank">#MerkurBreach</a> <a rel="nofollow noopener" class="hashtag u-tag u-category" href="https://www.locked.de/tag/privacy/" target="_blank">#Privacy</a></p>