Ajax Football Club Hack Exposed Fan Data and Enabled Ticket Hijack

Ajax Amsterdam Got Hacked - And a VIP Season Ticket Was Reassigned in Seconds

Dutch football giants AFC Ajax confirmed a security breach that let an attacker walk through their IT systems like an open turnstile. The hacker accessed fan data, manipulated stadium ban records, and - most dramatically - demonstrated the ability to reassign any of 42,000 season tickets to arbitrary people. Ajax only learned about it when journalists knocked on their door with a tip from the attacker themselves.

RTL journalists independently verified the flaws. In a live demo, they reassigned a VIP season ticket in seconds. The full blast radius: potential access to over 300,000 fan accounts, 538 stadium ban records, and bulk ticket manipulation - all via exposed APIs and shared keys.

What Actually Went Wrong

The attack surface here is a textbook example of broken API security:

• Exposed API endpoints with insufficient authorization checks allowed ticket transfers without ownership verification
• Shared keys - hardcoded or improperly distributed credentials - gave broad access to backend systems
• Missing object-level authorization let the attacker (and journalists) read and modify stadium ban records belonging to other users
• No anomaly detection - the club learned about the breach from media, not their own monitoring

Ajax confirmed that email addresses for a few hundred users were viewed, and for fewer than 20 banned individuals, names, email addresses, and dates of birth were accessed. The attacker appears to have acted without malicious intent, but the structural weaknesses were real and wide open.

How Developers Can Avoid This

If you're building ticketing systems, fan portals, or any platform with user-owned assets, lock this down:

• Enforce object-level authorization (IDOR prevention) - every API request touching a ticket, ban record, or account must verify the requester owns or has rights to that resource
• Rotate and vault API keys - shared keys passed around teams are a liability; use secrets managers and short-lived tokens
• Implement rate limiting and anomaly detection on ticket transfer endpoints - bulk reassignment of 42,000 tickets should trigger alarms immediately
• Audit third-party API integrations regularly - broad access granted to internal services can become an attacker's pivot point
• Never rely on obscurity - assume attackers will find your endpoints and design authorization as if every endpoint is public

The Bigger Picture

Ajax has patched the vulnerabilities, brought in external experts, and notified Dutch data protection authorities and police. But the fact that these flaws existed undetected - and were disclosed by a hacker through journalists rather than caught internally - signals a serious gap in proactive security testing.

Fans who registered with Ajax or hold season tickets should watch for phishing attempts impersonating the club.

Is your app vulnerable to similar attacks? Run an automated scan in 3 minutes with VibeShield.