Ajax Amsterdam systems breach enables ticket manipulation and limited fan data exposure
Summary
Hide ▲
Show ▼
A threat actor exploited vulnerabilities in Ajax Amsterdam’s IT systems to access limited fan data and manipulate ticket assignments and stadium bans. The incident affected a few hundred individuals, with fewer than 20 stadium bans compromised, including names, email addresses, and dates of birth. The attacker demonstrated the ability to reassign season tickets and modify existing stadium bans before disclosing the flaws to media outlets. The club has patched vulnerabilities, engaged external investigators, and notified Dutch authorities. No evidence of data leakage has been identified.
Timeline
-
26.03.2026 22:37 1 articles · 2h ago
Ajax Amsterdam discloses breach enabling ticket and stadium ban manipulation
AFC Ajax disclosed that a threat actor exploited vulnerabilities in its IT systems to access limited fan data and manipulate season ticket assignments and stadium bans. The incident affected a few hundred individuals, with fewer than 20 stadium bans compromised, and demonstrated the ability to reassign tickets and modify bans via exposed APIs. The club has patched vulnerabilities, introduced additional security measures, and engaged external experts to assess the incident. Dutch authorities have been notified.
Show sources
- Ajax football club hack exposed fan data, enabled ticket hijack — www.bleepingcomputer.com — 26.03.2026 22:37
Information Snippets
-
A threat actor unlawfully accessed parts of Ajax Amsterdam’s systems and viewed data belonging to a few hundred individuals.
First reported: 26.03.2026 22:371 source, 1 articleShow sources
- Ajax football club hack exposed fan data, enabled ticket hijack — www.bleepingcomputer.com — 26.03.2026 22:37
-
For fewer than 20 individuals with stadium bans, the attacker accessed names, email addresses, and dates of birth.
First reported: 26.03.2026 22:371 source, 1 articleShow sources
- Ajax football club hack exposed fan data, enabled ticket hijack — www.bleepingcomputer.com — 26.03.2026 22:37
-
The attacker demonstrated the ability to transfer season tickets to arbitrary individuals and modify stadium ban records via exposed APIs and shared keys.
First reported: 26.03.2026 22:371 source, 1 articleShow sources
- Ajax football club hack exposed fan data, enabled ticket hijack — www.bleepingcomputer.com — 26.03.2026 22:37
-
RTL journalists independently verified the vulnerabilities, demonstrating the reallocation of a VIP season ticket in seconds and the potential to manipulate 42,000 season tickets and 538 stadium bans.
First reported: 26.03.2026 22:371 source, 1 articleShow sources
- Ajax football club hack exposed fan data, enabled ticket hijack — www.bleepingcomputer.com — 26.03.2026 22:37
-
Ajax Amsterdam has patched identified vulnerabilities, introduced additional security measures, and engaged external experts to assess the incident scope and root cause.
First reported: 26.03.2026 22:371 source, 1 articleShow sources
- Ajax football club hack exposed fan data, enabled ticket hijack — www.bleepingcomputer.com — 26.03.2026 22:37
-
The Dutch Data Protection Authority and police have been notified of the incident.
First reported: 26.03.2026 22:371 source, 1 articleShow sources
- Ajax football club hack exposed fan data, enabled ticket hijack — www.bleepingcomputer.com — 26.03.2026 22:37
-
No evidence suggests the exposed data has been leaked or exploited for profit or extortion.
First reported: 26.03.2026 22:371 source, 1 articleShow sources
- Ajax football club hack exposed fan data, enabled ticket hijack — www.bleepingcomputer.com — 26.03.2026 22:37