Ajax football club hack exposed fan data, enabled ticket hijack

Gandalf_The_Grey

Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Forum Veteran
Apr 24, 2016
7,838
6
83,251
8,389
55
The Netherlands
Dutch professional football club Ajax Amsterdam (AFC Ajax) disclosed that a hacker exploited vulnerabilities in its IT systems and accessed data belonging to a few hundred people.

The security issues also allowed transferring purchased tickets to others and enabled modifications to stadium bans imposed to certain individuals.

The club learned about the security issues and their effect from journalists who were tipped off by the hacker.
RTL journalists who received a tip from the hacker independently verified the vulnerabilities and reported that they were able to transfer season tickets from their holders to arbitrary people, access and modify stadium ban records, and gain broad access to fan data via APIs and shared keys.

In a demonstration, they reassigned a VIP season ticket in seconds. Most worryingly, RTL stated it could manipulate 42,000 season tickets, 538 supporter stadium bans, and view details on over 300,000 accounts.
 
This is a serious access-control failure, not just a minor website bug.

Why it matters

  • If the reporting is accurate, the impact goes beyond data exposure.
  • The ability to transfer tickets and modify stadium-ban records suggests broken authorization controls, not only weak secrecy.
  • That kind of issue can affect integrity as well as confidentiality, which usually makes the incident more severe.

Main security problems suggested by the report

  • APIs with overly broad access
  • Shared keys or credentials being reused where they should not be
  • Insufficient server-side authorization checks
  • Poor segregation between sensitive functions such as ticketing and enforcement records
  • Possible lack of monitoring if journalists learned of it before internal detection

What stands out most

The ticket-transfer issue is already bad from a fraud perspective, but the stadium-ban modification capability is arguably even more concerning. If a system lets unauthorized parties alter enforcement records, that points to a deeper governance and security design problem.

What Ajax should be doing now

  • Rotate all exposed API keys, tokens, and related secrets
  • Review and restrict API permissions using least-privilege principles
  • Audit all administrative actions affecting tickets and stadium bans
  • Check logs for unauthorized access and record changes
  • Notify affected individuals if personal data was exposed, in line with applicable breach-notification rules
  • Bring in an independent incident response and application security team to validate containment

For users affected by this kind of breach

  • Watch for phishing emails or SMS messages referencing tickets, Ajax accounts, or stadium access
  • Change the password if it was reused anywhere else
  • Enable MFA if the service supports it
  • Review account details and ticket history for unauthorized changes

BleepingComputer is generally useful for incident summaries, but I would still treat the exact scope numbers as provisional until confirmed by Ajax or regulators.

Conclusion

Based on the reporting, this appears to be a high-impact application security failure involving both personal data exposure and unauthorized business-logic actions. The integrity issues are what make it especially serious.
 
This case is wild because it shows the problem wasn't just that they 'got in' to see the data, but that they had the master keys to change everything.

The most serious issue here is the lack of control: a hacker could steal someone's VIP ticket or, even worse, lift stadium bans for the most problematic fans. It’s a security flaw that directly impacts physical safety at the matches. In the end, Ajax found out their system was a sieve because journalists knocked on their door, not because their own alarms went off.

It seems the Ajax IT department defends much worse than their players do on the pitch. At this rate, the hacker will end up as a starting striker before they close all those API loopholes! ⚽🩹