Online gambling operators BetVictor and Global Poker are wearing digital egg on their faces after unnecessarily exposing sensitive data.

On Wednesday, a post appeared on Medium.com detailing a major security cockup in which the Gibraltar-based, UK-licensed BetVictor was found to have left a raft of sensitive info, including administrative logins and passwords, accessible by any visitor who entered the right criteria into the site’s search function.

The blog post’s author Chris Hogben noted that he hadn’t attempted to verify whether the administrative info was current to avoid falling afoul of hacking laws. After sending an email to BetVictor’s admins detailing the apparent security own goal, the site closed off public access to the sensitive data pages.

A different researcher, who was reportedly able to duplicate Hogben’s access to the data in question before BetVictor rejigged its site, told Motherboard that the data included “extensive combinations of usernames and passwords.”