Key facts: AFC Ajax data breach
• Date reported: March 27, 2026
• Target entity: AFC Ajax
• Source of breach: Unknown, unauthorized third-party
• Data types: Names, email addresses, season ticket information, stadium ban status
• Status: Confirmed; reported on March 27, 2026.
• Severity: Medium; exposure of personal contact details and ticketing information for a large supporter base.
What happened in the AFC Ajax data breach?
AFC Ajax (ajax.nl) disclosed a data breach on March 27, 2026, stemming from vulnerabilities in its official mobile application and website. The security incident involved exposed APIs that allowed unauthorized access to sensitive supporter information. While the football club initially reported a limited impact affecting individuals under stadium bans, subsequent investigations revealed a much larger scope. An investigation by an RTL journalist indicated that the private data of over 300,000 registered fans was accessible. Additionally, the flaws provided the potential to steal or disable 42,000 season tickets and modify active stadium bans.
Ajax has since patched the vulnerabilities and notified the Dutch Data Protection Authority. This incident is classified as medium severity due to the volume of personal data exposed and the potential for service disruption. The club has also filed a police report and is investigating the full extent of the exposure. Such breaches typically lead to increased phishing attempts and unauthorized account access for the affected user base.
Who is behind the incident?
The attacker or cause of the incident has not been identified.
Impact and risks for AFC Ajax customers
For supporters of AFC Ajax, the primary risks include targeted phishing campaigns and identity theft. With names and email addresses exposed, malicious actors may craft convincing messages to solicit further sensitive information or login credentials. The vulnerability also posed a direct risk to ticketing services, with the potential for 42,000 season tickets to be disabled or stolen, which could lead to significant disruption for fans attending matches.
Furthermore, the ability to modify stadium bans presents a security risk to the physical venue and its operations. Organizations typically face reputational damage and regulatory scrutiny following such exposures. Affected individuals should monitor their accounts for suspicious activity and be cautious of unsolicited communications. Maintaining transparency about the scope of the breach is a critical step in helping users protect themselves from secondary attacks.
How to protect against similar security incidents
Following the data breach at AFC Ajax involving exposed APIs and fan data, supporters should take immediate steps to secure their personal information and digital accounts.
• Practice vigilant email security. Be wary of any emails or messages claiming to be from AFC Ajax or ticketing partners. Avoid clicking on links or downloading attachments from unverified sources. Report any suspicious communication to the club's official support channels.
• Secure your fan accounts. Change the password for your AFC Ajax account and any other accounts that use the same credentials. Enable multi-factor authentication (MFA) where available to provide an extra layer of security against unauthorized access.
• Monitor ticketing and financial activity. Check your season ticket status and match history for any unauthorized changes. Review your bank statements for any unusual transactions if your payment details were linked to the compromised accounts.
• Implement continuous attack surface management. Organizations should deploy automated tools to discover and monitor exposed APIs and web vulnerabilities. Regular security audits and penetration testing can help identify flaws before they are exploited by unauthorized parties.
Staying informed and proactive is essential for mitigating the risks associated with this security incident.
Frequently asked questions
What happened in the AFC Ajax security breach?
On March 27, 2026, AFC Ajax (ajax.nl) disclosed a security breach. According to initial reports, vulnerabilities in the club's app and website, including exposed APIs, allowed unauthorized access to the private data of over 300,000 fans and the potential compromise of 42,000 season tickets.
When did the AFC Ajax breach occur?
The AFC Ajax breach was publicly reported on March 27, 2026. The exact date of the attack has not been disclosed.
What data was exposed?
The types of data involved in the AFC Ajax incident include names, email addresses, season ticket information, and stadium ban records. This page will be updated as verified information becomes available.
Is my personal information at risk?
If you interacted with AFC Ajax, there's a possibility your personal information could be affected. Similar incidents often involve email addresses, login details, or financial records. Stay alert for updates and take precautionary measures to secure your accounts.
What steps should companies take after being breached?
AFC Ajax has patched the vulnerabilities, notified the Dutch Data Protection Authority, and filed a police report. The club is also urging supporters to remain vigilant against phishing and is reviewing its security measures to prevent future API exposures.
Sources
AFC Ajax Investigating Data Breach
This cybersecurity news article is powered by UpGuard Breach Risk — continuous attack surface monitoring for your organisation and supply chain.
.png)
