Ajax Amsterdam Data Breach Exposes 300,000 Fans via App Vulnerability
Learn More
The Dutch football club Ajax Amsterdam confirmed a data breach impacting approximately 300,000 registered fans. Vulnerabilities in the club's digital infrastructure allowed unauthorized access to sensitive supporter databases.
The club initially suggested the scope was limited to a few hundred individuals but subsequent technical audits confirmed that the personally identifiable information (PII) of the entire registered fan base was accessible.
The attack used a flaw within the official Ajax mobile application and associated website APIs. Attackers could exploit a broken access control mechanism where every app user was assigned the same digital key for account modifications. By manipulating intercepted data packets, an unauthorized user could perform actions on behalf of any other fan, such as transferring season passes or match tickets. Additionally, insecure API endpoints on the club's website leaked administrative credentials, granting access to internal records including sensitive stadium ban lists.
The compromised data includes:
- Full names of supporters
- Email addresses
- Dates of birth
- Season pass and match ticket identifiers
- Stadium ban status and associated personal details
- Account metadata and transaction history
The number of affected individuals is 300,000. The vulnerability allowed for the illicit transfer of over 42,000 season tickets, which carry significant market value.
Ajax took the affected systems offline to apply security patches and close the identified API leaks. The club notified the Dutch Data Protection Authority and filed a formal report with law enforcement. External cybersecurity experts were hired to conduct a forensic investigation and harden the club's digital perimeter. All affected fans were contacted via email and advised to monitor their accounts for suspicious activity or unauthorized ticket transfers.
