Dutch football club AFC Ajax suffered a data breach where an attacker exploited exposed APIs and shared authentication keys to impersonate users, transfer season tickets, modify account details, and lift stadium bans. RTL News demonstrated the severity by transferring a VIP ticket from an Ajax director's account in seconds. The vulnerabilities potentially exposed data for over 300,000 supporters and put 42,000+ season tickets at risk. Ajax's public statement downplayed the incident, citing only a few hundred email addresses and fewer than 20 ban records accessed, while the actual flaws allowed full account takeover actions rather than just data viewing.
Sort: