Mar 27, 2026 · 6 min read
Ajax's Website Let Anyone Access 300,000 Fans' Data With a Simple Script
An unauthenticated API exposed personal data for every registered Ajax fan and allowed season tickets to be reassigned in seconds.
What Happened
On March 25, 2026, AFC Ajax, one of the most storied football clubs in Europe, confirmed a data breach that exposed the personal information of more than 300,000 registered fans. The breach was not the result of a sophisticated cyberattack. It was caused by API endpoints that required no authentication at all. A simple script was enough to access the data.
The vulnerability was discovered after a hacker tipped off Dutch journalist Daniël Verlaan of RTL Nieuws. Verlaan's team independently verified the flaws, demonstrating that they could access fan records, manipulate stadium ban data, and even reassign VIP season tickets to prove the severity of the issue.
The Scale of Exposure
The numbers tell the story. RTL Nieuws confirmed access to more than 300,000 fan accounts. The vulnerabilities also enabled potential tampering with approximately 42,000 season tickets, which could be reassigned to different individuals within seconds. And 538 supporters with stadium bans had their records exposed, meaning their bans could theoretically have been altered or removed by anyone who found the API.
Ajax's official statement tells a different story. The club claims that only "a few hundred" email addresses were actually accessed, and that fewer than 20 individuals with stadium bans had their names, email addresses, and dates of birth viewed. The gap between what was possible and what Ajax says actually happened is significant, and investigators have not confirmed which version is closer to reality.
The Technical Failure
The core issue was a textbook API security failure. Ajax's website APIs allowed unauthenticated access to fan data, meaning anyone could query the endpoints without logging in. Shared credentials were also exposed, enabling broader system access beyond what individual API calls should have permitted.
For developers and security professionals, this is a familiar and preventable pattern. The OWASP API Security Top 10 lists Broken Object Level Authorization and Broken Authentication as the two most common API vulnerabilities. Ajax's systems apparently had both. No authentication was required to access the data, and no authorization checks prevented users from accessing records that did not belong to them.
The ticket transfer vulnerability is particularly concerning. Season tickets could be reassigned without proper authorization, turning a data exposure into a potential financial attack. A season ticket at Ajax's Johan Cruyff Arena can cost hundreds of euros, and being able to transfer 42,000 of them at will represents a significant fraud risk.
Ajax's Response
After being notified, Ajax engaged external security experts, patched the vulnerabilities, and reported the incident to both the Dutch Data Protection Authority and the Amsterdam Police Cybercrime Team. The club stated that no exposed data was leaked publicly and that the situation was contained.
The police investigation is looking at whether the vulnerabilities were exploited at scale before the journalists discovered them. There is also a possible connection to the recent takedown of LeakBase, a criminal forum where databases from Dutch companies were previously sold. Whether Ajax fan data appeared on that platform before it was seized remains an open question.
The Bigger Picture
Sports organizations collect enormous amounts of personal data: names, addresses, payment information, travel patterns, and biometric data for stadium access. Yet they rarely face the same security scrutiny as banks, healthcare providers, or tech companies. The Ajax breach is a reminder that any organization holding personal data is a target, regardless of whether its primary business is football.
Under GDPR, organizations that fail to protect personal data face fines of up to 4% of annual global revenue or €20 million, whichever is higher. Ajax's total revenue for the 2024/25 season was approximately €200 million, meaning a maximum GDPR fine could reach €8 million. Whether the Dutch Data Protection Authority pursues enforcement will depend on the investigation's findings about the scope of the breach and Ajax's security practices prior to the incident.
For fans, the practical advice is straightforward: if you have an Ajax account, change your password and monitor your email for phishing attempts. Breached email addresses frequently end up in phishing campaigns, and 300,000 confirmed football fans are a high value target for social engineering.
What This Means for API Security
The Ajax breach is a case study in what happens when basic security hygiene is skipped. APIs need authentication. Authorization checks need to verify that users can only access their own data. Sensitive operations like ticket transfers need additional verification layers. None of this is new or controversial in security circles, but it continues to be ignored by organizations that treat their web platforms as an afterthought.
If your organization exposes APIs that handle personal data, this is a good time to audit them. The question is not whether your APIs have similar flaws. The question is whether you have checked.