Oh man, there's been a *lot*. And so many different classes of bugs. I think all the big casinos have at one time or another had at least one serious incident.

iirc, the primedice issue was they initialized the server-seed (i.e. for provably fairness) using a hash (?) function with the-current-time as (the only?) input. This meant that if two users created a server-seed at the exact same time, they would have the exact same server seed. Then one of the accounts just needs to reveal the server seed, and the other can continue using it for betting.  [Don't quote me on that, that's just my recollection of a many-years-old incident]


I used to run a major bitcoin casino (bustabit) and under my watch there was a pretty serious exploit:

https://bitcointalk.org/index.php?topic=709185.msg9679169#msg9679169

In that thread there's a pretty detailed technical postmortem of the issue. And kindly enough, the hacker even shared the code he used for the exploit -- which was pretty cool.