1Win 2024 Data Breach

1Win Online Betting Platform Breach (2024): 96 Million User Records Including Passport Numbers Exposed | ObscureIQ
ObscureIQ Breach Intelligence

Classification Tags

Misconfigurationfe0dorViceGamblingDate of BirthEmail AddressGeographic LocationIP AddressPassport NumberPassword
High SeverityWebsite / service breach

1Win Online Betting Platform Breach (2024): 96 Million User Records Including Passport Numbers Exposed

Online betting and gaming platform.

Verified by ObscureIQ Intelligence
65/100Breach Risk Index
35Data Value
25Market Recency
469dSince Breach

Breach Intelligence Summary

Entity: 1Win · Actor: fe0dor · Sources: 6 references
Attack: Misconfiguration
Timeline: Breach (2024-11-02) · Indexed (Jan 13, 2025) · Year (2024)
Exposure: 96.5M records · 7 fields: Date of Birth, Email Address, Geographic Location, IP Address, Passport Number, Password, Phone Number
Status: Confirmed

Executive Summary

1Win, an international online sports betting and casino platform, suffered a data breach in early November 2024 after a threat actor using the handle "fe0dor" exploited a server misconfiguration to access the platform's production systems. The attacker published a 29-gigabyte archive on the Exploit.in underground forum containing more than 450 million database rows. Researchers estimated those rows represented approximately 96 million unique user accounts, placing it among the largest recorded breaches in the gambling industry. The attacker initially demanded $1 million in ransom, later escalating that demand to $15 million before negotiations collapsed. 1Win's founder confirmed the breach publicly via Telegram and stated that infrastructure had since been secured. The exposed data included full names, email addresses, phone numbers, dates of birth, geographic locations, IP addresses, passport numbers, and password hashes. Those passwords were stored using SHA-256 without salting, a weak implementation that dramatically reduces the time needed to crack them through brute force. Security researcher Troy Hunt verified the dataset's authenticity in February 2025 and added it to Have I Been Pwned, notifying nearly 96 million affected email addresses. The combination of passport data, location history, and crackable passwords creates serious risk of identity theft, account takeover, and financial fraud. Because 1Win serves gamblers, the exposed data could also be used to target individuals with coercive scams or to exploit problem-gambling behavior. 1Win made no formal breach notifications to affected individuals in most jurisdictions where it operates. Because the platform serves European Union users, it is subject to the General Data Protection Regulation, and regulators in the United Kingdom and Germany opened scoping inquiries following the incident. Affected individuals should treat their 1Win password as compromised, change it immediately on any other account where it was reused, and monitor financial accounts and identity documents for signs of misuse.

ObscureIQ assessment: High risk of fraud, account takeover, and payment abuse. Gambling activity can also support coercive scams, financial targeting, and exploitation of problem-gambling behavior.

About 1Win

1Win is an international online sports betting and casino platform operating under a Curaçao gaming license and incorporated in Cyprus. The platform accepts users across Europe, the Commonwealth of Independent States, Asia, and other markets, offering sports wagering, casino games, and live dealer products. 1Win is one of several large offshore betting operators serving markets where domestic regulation of online gambling is limited or absent.

Data Points Exposed

7 verified field types
Date of Birth High
Email Address
Geographic Location
IP Address
Passport Number Critical
Password Critical
Phone Number

Field names are shown in full for clarity and search visibility. Canonical machine keys are emitted only in this page’s structured data.

Breach Exploitation & Impact

Threat Activity:Critical
SignalStatus
Dark web / breach-channel circulationDetected
Breach-index indexingDetected
Identity / fraud relevanceHigh
Credential stuffing overlapHigh
Law enforcement final scopeUnknown
Primary downstream threats:
  • Credential stuffing against reused passwords across other platforms
  • SIM swap attacks where phone numbers are present
  • Targeted phishing campaigns using exposed email addresses
  • Doxxing risk from physical address exposure
Threat vectors:
  • Identity verification bypass
  • Phishing, credential stuffing & account takeover
  • Pattern-of-life analysis & physical surveillance
  • Geolocation & account flagging
  • International identity fraud & border exploitation
  • Credential stuffing & account takeover
  • SIM swapping, vishing & SMS phishing

Threat Actor: fe0dor

fe0dor
Misconfiguration

Attribution and method are based on available breach intelligence. Reported attack vector: Misconfiguration.

Recommended Actions

If you believe your information may be included:

Change Reused Passwords
Update this account and anywhere you reused the password; use a manager.
Password manager guide
Protect Your ID Documents
Government-ID exposure enables document fraud — monitor and report misuse.
IdentityTheft.gov
Enable MFA Everywhere
Turn on multi-factor authentication on email first, then financial accounts.
Find 2FA settings
Report & Recover
If you spot misuse, start an official recovery plan and report fraud.
IdentityTheft.govReport to FTC

Frequently Asked Questions

What happened in the 1Win breach?

1Win, an international online sports betting and casino platform, suffered a data breach in early November 2024 after a threat actor using the handle "fe0dor" exploited a server misconfiguration to access the platform's production systems. The attacker published a 29-gigabyte archive on the…

What data was exposed?

Verified fields include Date of Birth, Email Address, Geographic Location, IP Address, Passport Number, Password, Phone Number.

What should I do if I was affected?

Change reused passwords, enable MFA, and (if identity or financial data is involved) freeze your credit and monitor your accounts.

Sources & References

Every claim on this page is traceable. This breach draws on:

Breach Index
DataBreach.com
Record & field corroboration
Breach Index
Have I Been Pwned
Record & field corroboration
Cross-source
Dehashed
Independent catalogue listing
Cross-source
LeakCheck.io
Independent catalogue listing
Cross-source
Leaked.Domains
Independent catalogue listing
ObscureIQ Intelligence
ObscureIQ proprietary analysis
Risk Index scoring & downstream-threat assessment

Protect Yourself

Check If You're Affected

Enter your email to check whether your data appears in this breach. We’ll send a 6-digit code to confirm it’s your address.

Get Free Breach Alerts

Be the first to know when new breaches are disclosed. Free forever — confirm your email with a 6-digit code.

High-Risk? Get an Exposure Audit

Executives, public figures, and high-visibility operators can receive tailored exposure intelligence and hardening guidance.

Request Consultation