Lock down your Shuffle account: 2FA, anti-phishing codes, withdrawal whitelist.

Two-factor authentication (2FA)

Once enabled, you'll enter a 2FA code at login and again when confirming withdrawals. The code prompt appears after the standard username and password step.

1. Go to Account Settings. Select Security.
2. Under Two-Factor Authentication, click Enable.
3. Open Google Authenticator, Authy, or your TOTP app of choice. Tap the + icon to add a new account.
4. Scan the QR code shown on Shuffle's screen, or enter the manual key if your app doesn't support scanning.
5. Enter the six-digit code generated by your app to confirm setup.
6. Save your backup codes somewhere offline. These let you recover access if you lose your phone.

Anti-phishing code

Phishing attacks typically involve fake emails that look identical to official casino communications but link to malicious sites. Shuffle counters this with a custom anti-phishing code: you set a short word or phrase in your security settings, and every legitimate Shuffle email will display this code at the top.

If you receive an email claiming to be from Shuffle and it doesn't show your anti-phishing code, it's fake. Delete it and don't click any links.

To set it up: Account Settings, Security, Anti-Phishing Code. Choose something memorable but not guessable. The code starts appearing on all Shuffle emails within minutes of saving.

Withdrawal address whitelist

The withdrawal whitelist means you pre-approve specific wallet addresses in your account settings. Once enabled, Shuffle will only process withdrawals to those addresses. A request to any other address will be blocked, even if the attacker has your login credentials and 2FA code.

For most players, this means adding the one or two wallets you regularly use. Addresses can be managed in Account Settings under Security. Adding a new address triggers a confirmation email to your registered address and a time-delay before it becomes active (Shuffle uses this delay to give you a window to cancel if the addition was unauthorised).

The whitelist is the strongest of the three security tools because it limits the damage of a full account compromise. Even with everything else, funds can only go to your pre-approved address.

Password and email security hygiene

The three Shuffle-native security tools work best alongside good general hygiene: a unique password used only at Shuffle (a password manager makes this easy), a dedicated email address for the account, and avoiding logging in on shared or public devices.

Shuffle's official domain is shuffle.com. The support email is accessible via live chat, and the deposit address shown in the cashier changes with each new deposit request as is standard for crypto wallets. If you ever receive an email asking you to send crypto directly or to log in via a link that doesn't resolve to shuffle.com, treat it as a phishing attempt.

After the October 2025 data breach: context

In October 2025, Shuffle's third-party CRM provider Fast Track was compromised, exposing personal data including names, emails, addresses, phone numbers, and transaction histories for the majority of Shuffle users at the time. Passwords, login credentials, and player funds were not compromised in the breach.

The practical takeaway for current players: if you registered before late 2025, your personal details may be in the wild. The risk vector is targeted phishing using that data. The anti-phishing email code and 2FA combination significantly reduces that risk. Shuffle recommended enabling 2FA immediately after the breach was disclosed. If you haven't done it yet, do it now.