Dutch football club AFC Ajax has confirmed a hacker exploited vulnerabilities in its IT systems, accessing fan personal data and gaining the ability to transfer, reassign, and manipulate tickets at scale. RTL journalists who independently verified the flaws demonstrated they could manipulate 42,000 season tickets, access or modify 538 stadium ban records, and view details on over 300,000 fan accounts — including reassigning a VIP season ticket in seconds. Ajax confirmed the breach on March 26, 2026, noting the club only learned of the vulnerabilities from journalists tipped off by the hacker. All identified flaws have since been patched.
What Happened
A hacker in the Netherlands identified and exploited multiple vulnerabilities in Ajax's IT infrastructure, gaining unauthorized access to fan account data and ticketing systems. The hacker chose to disclose the flaws to RTL journalists rather than exploit them commercially — RTL then independently verified the vulnerabilities before contacting Ajax.
In their verification, RTL journalists confirmed they could: transfer season tickets from legitimate holders to arbitrary third parties, access and modify stadium ban records for 538 individuals, and view personal data across more than 300,000 fan accounts. The demonstration included reassigning a VIP season ticket in real time — a capability that, in criminal hands, would enable a large-scale ticket fraud and resale operation.
Ajax stated that in the actual unauthorized access by the hacker, only the email addresses of "a few hundred people" were viewed, and for fewer than 20 individuals with stadium bans, names, email addresses, and dates of birth were accessed. The club has engaged external security experts to determine the full scope, notified the Dutch Data Protection Authority and police, and patched all identified vulnerabilities. The club states the exposed data has not been leaked publicly.
The disclosure pathway — hacker to journalist to club — raises an important unresolved question: whether this was the first time these vulnerabilities were discovered. Flaws of this severity, particularly unauthenticated or weakly authenticated API access enabling ticket transfers at scale, are the kind of capability that criminal actors actively seek and monetize in underground markets.
What Was Taken
Confirmed accessed by the hacker: - Email addresses of a few hundred fan account holders - Names, email addresses, and dates of birth of fewer than 20 individuals subject to stadium bans
Confirmed accessible but not confirmed exfiltrated (per RTL independent verification): - Personal data on 300,000+ fan accounts — the full scope of accessible fields has not been disclosed but likely includes contact details, purchase histories, and account credentials - 42,000 season ticket records — with transfer and reassignment capability, implying full ticket ownership and holder data - 538 stadium ban records — including identity information used for enforcement, with modification capability representing a direct security risk to venue safety operations - Shared API keys — RTL reported access via APIs and shared keys, suggesting credential material was accessible that could enable persistent or broader access
Why It Matters
The confirmed damage is relatively contained. The strategic implications are not.
This incident exposes a category of vulnerability that is endemic across sports, entertainment, and events infrastructure: ticketing and fan management systems built with consumer-facing convenience prioritized over security architecture. API endpoints that allow ticket transfers, account lookups, and ban record access are core business functions — but when improperly authenticated or authorized, they become a complete fraud toolkit.
The ticket manipulation capability is the most commercially dangerous element. Secondary ticket markets are a multi-billion dollar ecosystem with significant criminal participation. The ability to silently transfer 42,000 season tickets — without the original holder's knowledge or consent — would enable an operation that could generate millions in fraudulent resale revenue before detection. The fact that this capability existed and was apparently accessible via exploitable API vulnerabilities is a systemic failure, not a configuration error.
The stadium ban modification capability carries a distinct and serious public safety dimension. Stadium bans exist to prevent violence, disorder, and harassment at live events. A system where ban records can be modified via an exploitable vulnerability is a venue security failure with real physical consequences — not just a data protection issue.
For defenders across sports, entertainment, and events verticals: your ticketing system is a financial instrument and a security control. Treat it accordingly.
The Attack Technique
Ajax has not disclosed the specific vulnerability class. RTL's reporting points clearly to the root cause: improperly secured API endpoints and shared credential material. The technical pattern is consistent with several common API security failures:
- Broken Object Level Authorization (BOLA/IDOR) — the most common API vulnerability class; authenticated users can access or modify records belonging to other users by manipulating object identifiers (ticket IDs, account IDs, ban record IDs) in API requests
- Shared or hardcoded API keys — RTL explicitly noted access via "shared keys," suggesting API keys embedded in client-side code, shared across services without scoping, or accessible via exposed configuration
- Missing function-level authorization — ticket transfer and ban modification are privileged operations that should require elevated authorization checks; their accessibility suggests authorization logic was absent or bypassable
- Unauthenticated or weakly authenticated endpoints — fan-facing ticketing APIs sometimes expose administrative functionality on the same endpoint surface without enforcing role separation
The hacker's Netherlands location and decision to disclose rather than exploit suggests a security researcher or grey-hat actor rather than a criminal operator — but the vulnerabilities themselves are exactly what criminal actors scan for continuously.
What Organizations Should Do
- Conduct an API security audit against the OWASP API Security Top 10 — BOLA, broken authentication, and excessive data exposure account for the majority of real-world API breaches; run automated scanning and manual testing against every fan-facing and partner-facing API endpoint, paying particular attention to object-level authorization on ticket and account operations
- Eliminate shared API keys immediately — shared keys provide no auditability and no revocation granularity; replace with scoped, per-service credentials with the minimum permissions required; rotate any key that may have been exposed
- Separate privileged operations from general fan API surfaces — ticket transfer, ban record access, and account modification are administrative functions that should live behind elevated authentication and authorization controls, not on the same API surface as account lookup and purchase history
- Implement anomaly detection on ticketing API calls — bulk ticket transfers, sequential object ID enumeration, and unusual ban record access patterns should trigger alerts; most ticketing fraud and API abuse follows detectable behavioral signatures
- Treat stadium ban systems as safety-critical infrastructure — ban record integrity has direct venue safety implications; access to ban modification should be strictly controlled, logged, and audited; consider offline or air-gapped backups of ban records that cannot be modified via internet-facing APIs
- Notify affected fans proactively and broadly — Ajax's disclosure covers "a few hundred" directly accessed, but RTL demonstrated access to 300,000 accounts; erring toward broad notification and credential reset recommendations is the appropriate response when the true exfiltration scope is unknown