Dutch skilled soccer membership Ajax Amsterdam (AFC Ajax) disclosed {that a} hacker exploited vulnerabilities in its IT methods and accessed knowledge belonging to a couple hundred individuals.
The safety points additionally allowed transferring bought tickets to others and enabled modifications to stadium bans imposed to sure people.
The membership realized concerning the safety points and their impact from journalists who have been tipped off by the hacker.
AFC Ajax is among the most profitable soccer golf equipment, profitable the UEFA Champions League 4 occasions and with 36 Eredivisie titles, the premier skilled soccer league within the Netherlands.
“We lately found {that a} hacker within the Netherlands unlawfully gained entry to elements of our methods. Knowledge was considered,” AFC Ajax acknowledged.
“What we now know is that solely the e-mail addresses of some hundred individuals have been considered. As well as, for fewer than 20 individuals with a stadium ban, their names, electronic mail addresses, and dates of beginning have been accessed.”
RTL journalists who acquired a tip from the hacker independently verified the vulnerabilities and reported that they have been capable of switch season tickets from their holders to arbitrary individuals, entry and modify stadium ban data, and achieve broad entry to fan knowledge by way of APIs and shared keys.
In an illustration, they reassigned a VIP season ticket in seconds. Most worryingly, RTL acknowledged it might manipulate 42,000 season tickets, 538 supporter stadium bans, and think about particulars on over 300,000 accounts.
AFC Ajax says that it has engaged exterior consultants to find out the scope of the incident and determine the foundation trigger, whereas noting that the uncovered knowledge has not been leaked.
In the meantime, all recognized vulnerabilities have been patched, and extra safety measures have been launched.
The Dutch Knowledge Safety authority, in addition to the police, have additionally been notified accordingly.
RTL’s investigation was clearly non-malicious. Likewise, the attacker’s restricted entry and determination to reveal the failings by way of the media, fairly than exploit them for revenue or extortion, recommend the vulnerabilities weren’t abused at scale.
Nonetheless, it stays unclear whether or not this was the primary time these weaknesses in Ajax’s methods have been found or exploited.
Ajax followers who’ve registered with the membership’s methods or bought season tickets ought to stay vigilant for suspicious communications, particularly these impersonating or claiming to come back from the AFC Ajax membership.
Malware is getting smarter. The Crimson Report 2026 reveals how new threats use math to detect sandboxes and conceal in plain sight.
Obtain our evaluation of 1.1 million malicious samples to uncover the highest 10 strategies and see in case your safety stack is blinded.
