Back

Ajax Football Club Hack Exposes 300,000 Fan Records, Suspect Arrested

Severity: High (Score: 64.5)

Sources: Feeds2.Feedburner, www.rtl.nl, Bleepingcomputer, Therecord.Media, www.politie.nl

Published: 2026-05-27 · Updated: 2026-05-28

Keywords: dutch, ajax, police, football, club, suspect, buren

Severity indicators: breach, ot

Summary

A 35-year-old man from Buren was arrested for hacking into Ajax Amsterdam's systems, compromising data of over 300,000 fans and 42,000 season tickets. The attacker exploited vulnerabilities in Ajax's IT systems, allowing unauthorized access and manipulation of sensitive data, including stadium bans. The breach was confirmed by Ajax in March 2026, and the police began their investigation shortly after. The hacker demonstrated the ability to reassign tickets and view private information of fans with stadium bans. Ajax has since patched the vulnerabilities and notified the Dutch Data Protection Authority. The incident raises significant concerns regarding data privacy and security within sports organizations. Key Points: • A 35-year-old man was arrested for hacking Ajax, accessing data of over 300,000 fans. • The hack exploited vulnerabilities allowing unauthorized ticket transfers and viewing sensitive fan data. • Ajax has patched the vulnerabilities and is notifying affected fans and authorities.

Detailed Analysis

**Impact** Over 300,000 registered Ajax football club fans had their private data exposed, including details of 42,000 season ticket holders and 538 individuals with active stadium bans. Sensitive information such as stadium bans, which are not publicly known, was accessible, potentially harming the reputations and careers of affected individuals. The breach allowed theft and reassignment of season tickets, including VIP access, disrupting club operations and fan trust. The incident affected the Dutch football sector and supporters primarily in the Netherlands. **Technical Details** The attacker exploited vulnerabilities in Ajax’s IT systems, specifically weaknesses in API integrations and shared digital keys that allowed unauthorized access and manipulation of user accounts. The attack vector involved manipulating data packets to perform actions on behalf of other users, such as transferring tickets and altering stadium ban statuses. No specific malware or CVEs were mentioned. The intrusion was identified as multiple unauthorized computer system accesses, with digital storage devices seized during the suspect’s arrest in Buren. **Recommended Response** Apply patches to fix API security flaws and eliminate shared digital keys that allow unauthorized account modifications. Harden authentication mechanisms and implement strict access controls for sensitive data and administrative functions. Deploy monitoring for unusual API activity and ticket reassignment patterns. Continue forensic analysis of seized devices and monitor for potential data misuse or further unauthorized access attempts.

Source articles (5)

  • Dutch police arrests suspect linked to Ajax football club hack — Bleepingcomputer · 2026-05-27
    The Dutch National Police arrested a 35-year-old man suspected of hacking the professional football club Ajax Amsterdam (AFC Ajax) earlier this year. The suspect was arrested in Buren and, according t…
  • Tuesday press release — www.politie.nl · 2026-05-27
    De recherche heeft in de ochtend van dinsdag 26 mei een 35-jarige man uit de gemeente Buren aangehouden voor computervredebreuk bij de Amsterdamse voetbalclub Ajax. De man wordt verdacht van meerdere…
  • RTL report — www.rtl.nl · 2026-05-27
    De hack maakt het mogelijk om privégegevens van de meer dan 300.000 geregistreerde Ajax-fans in te zien en de ruim 42.000 seizoenskaarten te stelen of onbruikbaar te maken. De seizoenskaarthouder kan…
  • Dutch police arrest man over cyber breach at Ajax football club — Therecord.Media · 2026-05-27
    The suspect was detained in the central Dutch town of Buren, where law enforcement officers also searched his and seized multiple digital storage devices, according to a statement released Tuesday by…
  • Police arrest suspect in Ajax football club hack that exposed 300,000 fan records — Feeds2.Feedburner · 2026-05-28
    The Dutch National Police arrested a man suspected of hacking into the computer systems of AFC Ajax, a football club from Amsterdam. “On the morning of Tuesday, May 26, detectives arrested a 35-year-o…

Timeline

  • 2026-03-01 — Ajax discloses data breach: Ajax confirmed unauthorized access to its systems, affecting hundreds of fans' data.
  • 2026-05-26 — Suspect arrested: Dutch police arrested a 35-year-old man for multiple unauthorized intrusions into Ajax's systems.
  • 2026-05-27 — RTL News reports on hack details: RTL News revealed how the hack allowed ticket theft and access to sensitive fan data.
  • 2026-05-27 — Police confirm investigation details: The police provided details on the suspect's methods and the ongoing investigation into the hack.
  • 2026-05-28 — Ajax implements security measures: Ajax announced that it has taken steps to enhance its digital security following the breach.

Related entities

  • Data Breach (Attack Type)
  • AFC Ajax (Company)
  • rtl.nl (Domain)
  • [email protected] (Email)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed