Dutch skilled soccer membership Ajax Amsterdam (AFC Ajax) disclosed {that a} hacker exploited vulnerabilities in its IT programs and accessed information belonging to some hundred individuals.
The security points additionally allowed transferring bought tickets to others and enabled modifications to stadium bans imposed to sure people.
The membership discovered concerning the security points and their impact from journalists who have been tipped off by the hacker.
AFC Ajax is without doubt one of the most profitable soccer golf equipment, profitable the UEFA Champions League 4 occasions and with 36 Eredivisie titles, the premier skilled soccer league within the Netherlands.
“We not too long ago found {that a} hacker within the Netherlands unlawfully gained entry to elements of our programs. Data was seen,” AFC Ajax acknowledged.
“What we now know is that solely the e-mail addresses of some hundred individuals have been seen. As well as, for fewer than 20 individuals with a stadium ban, their names, e-mail addresses, and dates of beginning have been accessed.”
RTL journalists who obtained a tip from the hacker independently verified the vulnerabilities and reported that they have been capable of switch season tickets from their holders to arbitrary individuals, entry and modify stadium ban information, and acquire broad entry to fan information by way of APIs and shared keys.
In an indication, they reassigned a VIP season ticket in seconds. Most worryingly, RTL acknowledged it might manipulate 42,000 season tickets, 538 supporter stadium bans, and consider particulars on over 300,000 accounts.
AFC Ajax says that it has engaged exterior specialists to find out the scope of the incident and determine the foundation trigger, whereas noting that the uncovered information has not been leaked.
In the meantime, all recognized vulnerabilities have been patched, and extra security measures have been launched.
The Dutch Data Safety authority, in addition to the police, have additionally been notified accordingly.
RTL’s investigation was clearly non-malicious. Likewise, the attacker’s restricted entry and choice to reveal the issues by way of the media, relatively than exploit them for revenue or extortion, counsel the vulnerabilities weren’t abused at scale.
Nonetheless, it stays unclear whether or not this was the primary time these weaknesses in Ajax’s programs have been found or exploited.
Ajax followers who’ve registered with the membership’s programs or bought season tickets ought to stay vigilant for suspicious communications, particularly these impersonating or claiming to come back from the AFC Ajax membership.
Malware is getting smarter. The Crimson Report 2026 reveals how new threats use math to detect sandboxes and conceal in plain sight.
Obtain our evaluation of 1.1 million malicious samples to uncover the highest 10 methods and see in case your security stack is blinded.
