1Win Breach

In early November 2024, international online bookmaker 1Win quietly joined the swelling ranks of companies breached by opportunistic cyber-criminals. A hacker using the handle “fe0dor” published a 29-gigabyte archive on the Exploit-in forum, boasting more than 450 million database rows siphoned from the platform’s production servers. Researchers reviewing the dump estimated that those rows represented roughly 100 million unique accounts, making it one of the largest gambling-industry breaches on record. Exposed fields included full names, email addresses, mobile numbers, dates of birth, IP addresses, geographic locations and unsalted SHA-256 password hashes. Password-reset tokens and some security questions also appeared. 
 
Although the breach surfaced within hours on underground Telegram channels, 1Win maintained public silence, fueling speculation about inadequate monitoring and crisis coordination. Three months later, on 3 February 2025, Troy Hunt ingested a sanitized copy into Have I Been Pwned and began emailing alerts to nearly 96 million affected addresses. Hunt confirmed the authenticity of multiple credential pairs supplied by reporters and warned that the lack of salts could shrink brute-force cracking times from weeks to hours. His verification transformed a rumoured leak into an undeniable incident, forcing 1Win to acknowledge the compromise and initiate forced password resets for active accounts. 
 
Investigators believe misconfigured ElasticSearch and ClickHouse analytics clusters, left exposed without authentication, provided the initial foothold rather than bespoke malware or an insider scheme. Once inside, attackers allegedly escalated privileges with legacy service accounts that still possessed write access to production backups. Because 1Win operates under a Curaçao licence yet courts customers across Europe, the CIS and Asia, privacy regulators in several jurisdictions—including the United Kingdom’s ICO and Germany’s BfDI—have begun scoping coordinated probes. Legal experts predict that, should investigators confirm negligence, fines could exceed €10 million, dwarfing penalties previously imposed on smaller betting operators over the past decade. 
 
For ordinary customers, the breach raises immediate risks extending well beyond account theft. Phone numbers aligned with geolocation data enable sophisticated social-engineering attacks, while betting history implied by IP and timestamp fields may expose users in jurisdictions where online gambling is restricted.