MyStake Failed to Notify Customers of Data Breach for Over Eight Months

Online casino MyStake has come under renewed criticism after it emerged that the operator allegedly kept quiet about a major data breach affecting hundreds of players. The incident, first uncovered by Curaçao Chronicle, traces back to May 2025, yet users reportedly received no warnings or security instructions for more than eight months.

Credentials Published on Hacker Platforms

The breach became public after a PDF file containing login details for 540 MyStake accounts was shared online. The document included email addresses and passwords linked to active player profiles. Information about the leak was provided by investigative groups Deal Me Out and GAMRS, whose findings were later reviewed by independent experts.

Audit Reveals Full Account Access

During a technical audit, specialists were able to log into almost all of the accounts listed in the leaked file. Once inside, they reportedly encountered personal data stored without encryption. This included player names, home addresses, phone numbers, dates of birth, and detailed transaction histories.

According to auditors, the exposure did not appear to be limited to a short period. Instead, sensitive information remained accessible long after the leak became known, significantly increasing the risk of misuse.

No Warnings, No Mandatory Security Measures

Despite the scale of the incident, MyStake is said to have taken no visible action. Players were not formally notified. Password resets were not enforced. Compromised accounts were not suspended. There were also no public alerts warning users about possible identity theft or unauthorized access.

Investigators involved in the review stressed that cyber incidents themselves are hardly unusual in the gambling sector. What raises concern is the silence that can follow. When no action is taken, players are left dealing with very real risks, from fraudulent activity and phishing attempts to full account takeovers.

Regulators Informed, Questions Remain

MyStake operates under a Curaçao license and is managed by Santeda International B.V., which also controls casino brands such as Goldenbet, Velobet, Cosmobet, and Rolletto. Following the audit, Curaçao Chronicle contacted MyStake and Santeda for comment and also submitted inquiries to the Curaçao Gaming Authority, the Curaçao Data Protection Office, and the Ministry of Finance.

At the time of publication, no official responses had been made public.

Comparison With a Recent Industry Case

This is not the only recent data security incident involving an online casino. We previously reported on a similar situation affecting Stake Casino. The key difference, however, was the operator’s response: Stake publicly acknowledged the problem through its official channels, informing players and addressing the issue directly.