2UP.io | No-KYC Crypto Casino & BTC Sportsbook | Fast Withdrawals + 200% Bonus

[Mandoy]

...

Thank you for this quick update. I feel more at ease now that the situation will be resolved.
But your remark about "only email verification" does not make much sense. Even with email verification there should be a code sent to the email with every new device logging in. And the fact that we didn't get a code says the hacker managed to circumvent the verification. And this person probably could have circumvented the 2FA too. Looks like it was someone connected to your database, maybe even an employee. I think you should seriously investigate it and kick suspicous employees out.

That suspicion makes sense. The official explanation is confusing, honestly. Any new device login should still trigger verification email or 2FA that's just how it's supposed to work. But if someone got into the server directly, all of that becomes irrelevant. Not personally hit by this but still worried, this platform gets used regularly and a withdrawal went through just hours before finding out what happened. At least 2UP responded. Now it's just waiting. Hope the people who got affected actually see their money come back.

I know that many users might be wary of this situation. If only email verification was available, it should, in most cases, send a verification email or alert at login time from a new device. As some of those affected users reportedly got nothing, questions have been raised on how the attackers were able to go through the system. However, without proof it may be too early to label staff as the culprits. Now, it's whether 2UP will investigate in an open manner, describe what actually occurred, and restore all balances that were affected. While it's good that it's quick to communicate from the platform, users will demand improved security features going forward.

[Bitinity]

Yeah he is @Bitinity but he hasn't confirmed anything well, we'd better wait a few hours.

Same for me, there are 2 unknown login attempt 12-13hours ago but luckily my balance is not gone. Maybe because my balance is small amount only (few tens of dollar) so the hacker do not care about it  .

What I am surprised is that I was playing at the time of those 2 unknown login attempts. Logically the hacker should have the verification code to login, but no verification code came to my email at the time of those unknown login attempts.

[BitcoinHunt3r]

Same for me, there are 2 unknown login attempt 12-13hours ago but luckily my balance is not gone. Maybe because my balance is small amount only (few tens of dollar) so the hacker do not care about it  .
What I am surprised is that I was playing at the time of those 2 unknown login attempts. Logically the hacker should have the verification code to login, but no verification code came to my email at the time of those unknown login attempts.

Yeah 2UP.io has confirmed that this is indeed happening to some accounts. Have you enabled Two-Factor Authentication (2FA)?  they said this illegal access only occurred on accounts that used email verification, if your 2FA is active but can be accessed, it means this is a serious problem and 2UP.io team must improve security. I personally don't activate 2FA because I don't have any balance in my account but if I have balance especially if it is $xxx of course I will activate it, I know attacks can come from anywhere.

[PERtua]

Same for me, there are 2 unknown login attempt 12-13hours ago but luckily my balance is not gone. Maybe because my balance is small amount only (few tens of dollar) so the hacker do not care about it  .
What I am surprised is that I was playing at the time of those 2 unknown login attempts. Logically the hacker should have the verification code to login, but no verification code came to my email at the time of those unknown login attempts.

Yeah 2UP.io has confirmed that this is indeed happening to some accounts. Have you enabled Two-Factor Authentication (2FA)?  they said this illegal access only occurred on accounts that used email verification, if your 2FA is active but can be accessed, it means this is a serious problem and 2UP.io team must improve security. I personally don't activate 2FA because I don't have any balance in my account but if I have balance especially if it is $xxx of course I will activate it, I know attacks can come from anywhere.

I just don't think this is something that I want to see if there are people that are trying to log in during that time while they are trying to be active. If it was somehow possible to get around verification or not be triggered correctly in email then email security is obviously not sufficient. Even smaller amounts should try to enable 2FA. Meanwhile, 2UP.io needs to look into this thoroughly and publicly describe in details how these unauthorized accesses have been made. Transparency and robust security are crucial to users' trust of the crypto casino platform.

[Bitinity]

.......

Yeah 2UP.io has confirmed that this is indeed happening to some accounts. Have you enabled Two-Factor Authentication (2FA)?  they said this illegal access only occurred on accounts that used email verification, if your 2FA is active but can be accessed, it means this is a serious problem and 2UP.io team must improve security. I personally don't activate 2FA because I don't have any balance in my account but if I have balance especially if it is $xxx of course I will activate it, I know attacks can come from anywhere.

I have not enabled 2UP when it was happened but I have just enabled it. I was too much focusing on the VIP transfer target before so I forgot to enable 2FA while I have my all other gambling accounts with active 2FA especially where I mostly play. Wondering how much is the total loss for this recent hack? Hopefully not that big and all the affected accounts will get what they loss back asap.

[BitcoinHunt3r]

I have not enabled 2UP when it was happened but I have just enabled it. I was too much focusing on the VIP transfer target before so I forgot to enable 2FA while I have my all other gambling accounts with active 2FA especially where I mostly play. Wondering how much is the total loss for this recent hack? Hopefully not that big and all the affected accounts will get what they loss back asap.

As far as I know no money was withdrawn but only spent in the game which means it is easy to recover because it only moves to the Casino wallet/storage
From this forum 2 users confirmed they have balances of around $20k and $8k but there may be other users who come from outside the forum for example from Stream, Twitter/X and others. Honestly I'm a bit surprised why hackers play Mahjong games usually they play other games that are easy to cheat   I know this game is familiar in my country especially mahjong ways 2 do you think the same?

[SquirrelJulietGarden]

Yeah 2UP.io has confirmed that this is indeed happening to some accounts. Have you enabled Two-Factor Authentication (2FA)?  they said this illegal access only occurred on accounts that used email verification

Not sure it is from a hack on an email platform, email provider or all accounts with email verification set up for 2Up accounts were compromised?
It compromised accounts with email addresses from a same email provider, it seems the issue is on email company, not from 2Up. In contrast, if there are diversifying email providers from hacked accounts, 2Up must take a look at their security and improve it as soon as possible.

Generally I don't know why in 2026, people still use email confirmation as their 2FA for their accounts. It's very insecure 2FA option and it's not recommended method, while there are 2 Factor Authenticator applications to use exclusively open source ones.

I have not enabled 2UP when it was happened but I have just enabled it. I was too much focusing on the VIP transfer target before so I forgot to enable 2FA while I have my all other gambling accounts with active 2FA especially where I mostly play. Wondering how much is the total loss for this recent hack? Hopefully not that big and all the affected accounts will get what they loss back asap.

It's big lesson, but you knew about 2FA application, and 2FA option for your account, just forgot to activate it for your account. Generally it is still a lesson for you, and hopefully in the future, activating 2FA for accounts will be like a mandatory step you will never forget.

https://www.privacytools.io/secure-password-manager
https://www.privacyguides.org/en/multi-factor-authentication/

[BitcoinHunt3r]

Not sure it is from a hack on an email platform, email provider or all accounts with email verification set up for 2Up accounts were compromised?
It compromised accounts with email addresses from a same email provider, it seems the issue is on email company, not from 2Up. In contrast, if there are diversifying email providers from hacked accounts, 2Up must take a look at their security and improve it as soon as possible.

Generally I don't know why in 2026, people still use email confirmation as their 2FA for their accounts.

I think the weakness comes from the 2UP.io system, hackers can login without email confirmation while for withdrawals require email confirmation , therefore hackers cannot withdraw money from the account, well from here we can understand the problem. By the way I just saw another user confirm that the balance has been credited so anyone affected by this problem please check your balance and if there is miscalculation don't forget to immediately report it to the support team.

Generally I don't know why in 2026, people still use email confirmation as their 2FA for their accounts

This feature automatically enabled when creating an account while if they want extra security they have to activate 2FA
I remember interesting feature in another casino, so when we have a balance, a warning popup will appear to activate 2FA well, maybe this is a good idea to implement here.

[suzanne5223]

Based on what everyone has explained about what happened to their account, the only thing that could make a hacker access an account without triggering an email code when logging in from a different location is through session hijacking/cookie theft, which i once heard to be a common attack hackers use on gambling and crypto sites.

With the session hijacking/cookie theft, the hacker doesn't need the email code to login into user account.

What could make the attack possible is logging in through a fake 2up.io website, no 2FA enabled, auto logged, and compromising the extension?

I believe the use of 2FA would have prevented the issue, so @2UP.io was right when s/he said the only accounts affected are those with no 2Fa enabled, and I believe this should be an eye opening for all gamblers and crypto enthusiasts to always use 2FA, strong antimalware, antivirus with realtime protection.
Those who doubt my statement should do some research about how session hijacking/cookie theft operates.
@GeerieErik @MegaAkker @Bitinity @BitcoinHunt3r

[Rruchi man]

I believe the use of 2FA would have prevented the issue, so @2UP.io was right when s/he said the only accounts affected are those with no 2Fa enabled, and I believe this should be an eye opening for all gamblers and crypto enthusiasts to always use 2FA, strong antimalware, antivirus with realtime protection.

Many gamblers have paid less attention and given less importance to the use of two-factor authentication, and I am not innocent of that too. I think this is a strong occurrence to learn from.

2FA is not just for your exchanges; it is also useful for your casino account.

[GeerieErik]

Well, a couple hours ago I received an email that they solved the problem. They call it a temporary system glitch and apologized fully, giving me back my 8K stolen plus even a nice gesture of a bonus code for $100 for my troubles.
I have to say, a quick solution and good effort from 2up. Still, I hope some improvement in their system has been made too.
It would be nice if they can explain here in a bit more detail what they think happened and if they believe it could have been an employee.

[GeerieErik]

I believe the use of 2FA would have prevented the issue, so @2UP.io was right when s/he said the only accounts affected are those with no 2Fa enabled, and I believe this should be an eye opening for all gamblers and crypto enthusiasts to always use 2FA, strong antimalware, antivirus with realtime protection.

Many gamblers have paid less attention and given less importance to the use of two-factor authentication, and I am not innocent of that too. I think this is a strong occurrence to learn from.

2FA is not just for your exchanges; it is also useful for your casino account.

Everyone keeps saying the breach happened due to not having 2FA, but I believe this played no role here. Multiple people have reported this happening, it cannot be possible that EVERY email box has been hacked. And if they were hacked, then why didn't the hacker receive the code in the email and processed a withdrawal?

I think the problem here is that the hacker found a way around the protection of receiving a code to log in, whether it be email or 2FA, and therefore it could have been working for 2FA just as easily. I'm still waiting for a user here to report that they also had a suspicious login while having 2FA turned on, but the fact that we didn't hear that yet could also be due to the fact that simply not many users have 2FA enabled.

So....if any user on here had 2FA enabled before yesterday, please check your "sessions" tab if there was a suspicious login or not.