Dutch football club AFC Ajax has confirmed a data breach after an attacker exploited vulnerabilities in its internal systems. The club acknowledges exposure of email addresses for several hundred individuals and limited personal data on fewer than 20 supporters with stadium bans, but independent reporting by RTL News suggests the flaws potentially affected more than 300,000 registered supporters and put over 42,000 season tickets at risk.
What Happened
Ajax states that a "hacker in the Netherlands" exploited vulnerabilities to access parts of its systems. The club says it has since patched the issues, notified regulators, and seen no indication the data has spread further. However, RTL News investigators independently demonstrated that the underlying flaws went far beyond passive data exposure. By probing exposed APIs and reusing shared digital keys, RTL was able to impersonate other users entirely, transferring season tickets, modifying account details, and even lifting stadium bans. In one demonstration, RTL pulled a VIP ticket from the account of Ajax director Menno Geelen and used it to gain access to an upcoming match before the club reclaimed it.
What Was Taken
Confirmed exposure from Ajax covers email addresses of a few hundred people and limited personal data tied to fewer than 20 banned supporters. The broader exposure surfaced by RTL is significantly more serious:
- Data on more than 300,000 registered supporters potentially reachable through the flawed APIs.
- Upwards of 42,000 season tickets at risk of transfer, theft, or disappearance.
- Records of more than 500 supporters under stadium bans, including the underlying reasons such as fights with stewards and drug-related incidents.
- The ability to alter account details and reverse bans on demand.
One affected individual, a local government worker, told RTL the disclosure of his ban could damage his career, highlighting the sensitivity of the leaked enforcement data.
Why It Matters
This incident is a textbook example of how authorization flaws can dwarf the impact of a conventional data leak. Ajax is framing the event as a narrow exposure of a few hundred email addresses, but the same weaknesses allowed outsiders to operate accounts, move valuable assets, and rewrite club enforcement decisions. For defenders, the case shows how reputational and operational damage can arise even when the volume of leaked records is low, because the integrity of the platform itself is compromised. Sports clubs, ticketing platforms, and any organization managing high-value digital assets tied to physical access should treat this as a warning that broken access control is often more damaging than data theft.
The Attack Technique
Reporting points to a class of issues consistent with Broken Object Level Authorization and Broken Function Level Authorization, both well documented in the OWASP API Security Top 10. According to RTL, Ajax systems trusted requests they should not have trusted, and effectively handed out the same digital keys to all users. By manipulating identifiers in API calls and reusing tokens or keys that were not bound to specific users, an outsider could act as any account holder. There is no indication of malware, phishing, or credential theft. The exposure stemmed from design and access control failures in production-facing APIs.
What Organizations Should Do
- Audit all customer-facing APIs for Broken Object Level Authorization, ensuring every request validates that the calling user owns the object being accessed or modified.
- Eliminate shared or static API keys for end-user functionality. Issue per-user, short-lived tokens scoped to the minimum required actions.
- Apply strict server-side authorization on sensitive actions such as ticket transfers, account changes, and enforcement record updates, rather than relying on client-side controls.
- Log and alert on anomalous patterns including bulk ticket transfers, mass account modifications, and reversals of enforcement actions like bans.
- Conduct adversarial testing against ticketing and member portals, including journalist-style probing of identifiers and tokens, before launch and after any significant update.
- Maintain an incident response plan that accounts for integrity breaches, not just confidentiality breaches, including reversal procedures for fraudulent transfers and ban modifications.
Sources: AFC Ajax drops ball as hackers transfer tickets, lift bans