Ajax Amsterdam, a prominent Dutch football club, has confirmed a significant data breach that compromised sensitive information for 300,000 fans. The incident stemmed from vulnerabilities in the club’s mobile app, allowing unauthorized access to personal details and account functions.
Breach Confirmation and Immediate Response
The club issued a press release stating that a hacker unlawfully accessed parts of its systems. Data from a few hundred individuals, including emails, was viewed. For fewer than 20 stadium-banned fans, names, email addresses, and birth dates were exposed.
All affected fans received notifications warning of potential phishing attempts. Ajax patched the vulnerabilities, informed the Dutch Data Protection Authority, and contacted law enforcement.
Vulnerability in Ajax App Affects Hundreds of Thousands
An ethical hacker demonstrated the flaw’s severity, revealing that personal identifiable information (PII) for 300,000 fans was accessible. The issue involved a shared digital key across all app users, enabling manipulation of data packets.
“By manipulating a sent data packet, you can perform actions on someone else’s behalf, such as transferring a ticket,” the hacker explained. “This way, an unauthorized person could gain access to all kinds of sensitive data belonging to Ajax fans and perform actions.”
The vulnerability allowed ticket and season pass transfers, as well as modifications or removals of stadium bans. This posed a major security risk, potentially permitting hooligans back into the venue.
