Ajax Football Club Hack Exposes Fan Emails and Enables Ticket Hijack for Thousands
What Happened – A hacker exploited unpatched API and shared‑key vulnerabilities in AFC Ajax’s ticketing and fan‑management systems, viewing email addresses of a few hundred fans and personal details (name, DOB) of fewer than 20 individuals under stadium bans. The same flaws allowed the attacker to reassign season tickets and modify ban records, with researchers demonstrating the ability to manipulate up to 42 000 tickets and view data on more than 300 000 fan accounts.
Why It Matters for TPRM –
- Personal data of ticket holders was accessed, creating privacy and phishing risk.
- Ticket‑transfer functionality was compromised, exposing supply‑chain‑like dependencies on third‑party ticketing platforms.
- The incident highlights the need for continuous vulnerability management and API security in sports and entertainment vendors.
Who Is Affected – Sports & entertainment organizations, ticketing service providers, and the club’s fan base (personal data).
Recommended Actions – Review contracts with ticketing and fan‑engagement vendors for security clauses, verify that API keys and shared secrets are rotated and stored securely, and demand evidence of recent vulnerability assessments and patch management.
Technical Notes – Attack vector: exploitation of vulnerable APIs and poorly protected shared keys (VULNERABILITY_EXPLOIT). No public data leak reported, but confirmed exposure of email addresses and limited personal identifiers. Source: BleepingComputer