Ajax Amsterdam Breach Exposed 300K Fan Accounts to Ticket Theft

Dutch football club AFC Ajax disclosed a data breach this week after journalists demonstrated that attackers could access personal data of over 300,000 fans—and potentially transfer more than 42,000 season tickets to different names. The club learned about the vulnerability not from its own security team, but from RTL journalists who were tipped off by the hacker who discovered it.

What the Attacker Could Access

The weakness sat in an API endpoint that failed to properly authenticate requests. With a simple script, an attacker could:

• View personal details of 300,000+ registered fan accounts
• Access names, email addresses, and birth dates of individuals with stadium bans
• Transfer season passes and match tickets between accounts
• Modify or completely remove stadium bans

The ticket transfer capability is particularly concerning. Ajax's Johan Cruyff Arena hosts 55,000 fans per match, and season tickets command significant resale value. An attacker could have rendered legitimate tickets unusable while fraudulently claiming them for resale—a scenario that would have caused chaos on match days.

The Disclosure Timeline

Ajax confirmed the breach on March 25, 2026, stating that the "exposed data has not been leaked." The club claims only email addresses of "a few hundred people" were actually viewed, with fewer than 20 stadium-banned individuals having their names, emails, and birth dates accessed.

The gap between what was accessible (300,000+ accounts) and what was accessed (a few hundred) matters legally and practically. But the vulnerability window remains unclear. The club hasn't disclosed when the flaw was introduced or how long it existed before the ethical hacker found it.

API Security Failures Continue

This breach follows a familiar pattern. Broken authentication and authorization remain among the most common API vulnerabilities, appearing consistently in OWASP's API Security Top 10. The Ajax API apparently allowed enumeration of resources without verifying the requester had legitimate access to them.

We've seen similar issues across sectors. The Korean Air breach exposed 30,000 employee records through an improperly secured Oracle EBS interface. The Infinite Campus breach that ShinyHunters exploited affected 11 million students through comparable access control failures.

Sports organizations are attractive targets precisely because they hold payment data, identity information, and access credentials for large fan bases. The 2024 Ticketmaster breach that exposed 560 million customers demonstrated the scale of damage possible when ticketing systems get compromised.

What Ajax Is Doing

The club's response has been relatively transparent by breach disclosure standards:

1. Patched immediately — The specific API vulnerabilities were fixed
2. Additional security measures — Broader hardening implemented (details not disclosed)
3. Regulatory notification — Dutch Data Protection Authority (Autoriteit Persoonsgegevens) informed
4. Law enforcement — Police report filed
5. External audit — Security experts engaged for review

Ajax advised fans to "watch for suspicious communications" and be wary of phishing attempts leveraging the breach. With email addresses exposed, targeted phishing campaigns impersonating the club are inevitable.

Why This Matters Beyond Football

Sports organizations handle the same sensitive data as any e-commerce platform—payment information, identity documents, access credentials—but often without equivalent security investment. Clubs operate as businesses with millions in revenue but may approach cybersecurity with the mindset of community organizations.

The 42,000 season tickets that could have been stolen represent real financial harm. Unlike a password breach where credentials can be reset, transferred tickets require manual intervention, identity verification, and potentially legal action to recover. Match-day access is time-sensitive; you can't wait for a support ticket when kickoff is in two hours.

For fans wondering about their exposure: if you've registered for an Ajax account, assume your email address may have been accessible. Enable strong, unique passwords. Watch for emails claiming to be from the club and verify through official channels before clicking links or providing information.

The incident also highlights why bug bounty programs matter. The hacker who found this vulnerability chose to tip off journalists rather than exploit it maliciously. Not every vulnerability discoverer will make that choice. Formal bounty programs give ethical hackers a clear, rewarded path to disclosure.

The Bottom Line

Ajax got lucky. An ethical hacker found the flaw, demonstrated it to journalists, and the club patched before mass exploitation occurred. The next organization with an unauthenticated API endpoint exposing 300,000 customer records might not get the same grace period.

API security isn't optional. Authentication and authorization must happen at every endpoint, every time. The alternative is headlines, regulatory scrutiny, and fans wondering whether their next ticket purchase might end up in someone else's hands.