Overview
- AFC Ajax says it has patched security flaws and opened a probe after a hacker accessed parts of its systems and viewed data.
- RTL journalists, tipped off by the intruder, verified that exposed app and website APIs and shared access keys let outsiders act as users, move season tickets, and change stadium-ban records.
- The club confirms email addresses of a few hundred people were viewed and, for fewer than 20 banned supporters, names, emails, and birth dates were accessed, while RTL reported potential reach to over 300,000 accounts, 42,000 season tickets, and 538 bans.
- Ajax brought in external security experts, filed a police report, and notified the Dutch Data Protection Authority, and it urged fans to watch for phishing emails.
- Fans faced practical risks like tickets disappearing from accounts and sensitive ban details being exposed, and it remains unclear whether others found or abused these weaknesses before they were fixed.