AFC Ajax has launched an investigation after a security breach exposed sensitive fan data and revealed critical vulnerabilities allowing unauthorized access to season tickets and stadium ban records.

Key points

• Hackers exploited exposed APIs and shared access keys within the AFC Ajax website and mobile application.
• The breach compromised personal data for over 300,000 registered fans and exposed records of 538 individuals currently under stadium bans.
• Unauthorized users could potentially steal or disable more than 42,000 season tickets by manipulating account access.
• AFC Ajax has patched the identified vulnerabilities, filed a police report, and notified the Dutch Data Protection Authority.
• The club is advising all supporters to remain vigilant against potential phishing attempts and suspicious emails following the incident.

This incident highlights significant cybersecurity risks for sports organizations managing large databases of personal fan information and digital ticketing systems. The vulnerability underscores the critical need for robust API security to prevent unauthorized account manipulation and protect sensitive user data.