What Happened
In early November 2024, international online bookmaker 1Win suffered a massive data breach when a hacker using the alias “fe0dor” published a 29-gigabyte archive containing approximately 450 million database rows representing roughly 96 million unique user accounts on the Exploit-in forum. The exposed data included full names, email addresses, mobile phone numbers, dates of birth, IP addresses, geographic locations, and unsalted SHA-256 password hashes, along with password-reset tokens and security questions. The breach resulted from misconfigured ElasticSearch and ClickHouse analytics clusters left exposed without authentication, which attackers exploited to escalate privileges using legacy service accounts with write access to production backups. Although the breach surfaced within hours on underground Telegram channels, 1Win maintained public silence for months until February 3, 2025, when Troy Hunt added a sanitized copy to Have I Been Pwned and began alerting nearly 96 million affected users. The attackers initially demanded $1 million in ransom, escalating to $15 million, and when 1Win refused to pay, they began leaking the database publicly. The lack of password salts significantly increased the risk of credential compromise, as brute-force cracking times could be reduced from weeks to hours.
