Massive data breach exposes personal records of 150,000 football players and staff ahead of 2026 World Cup

Sensitive personal data belonging to more than 150,000 football players and coaching staff linked to the Asian Football Confederation and Saudi club Al Nassr FC has been exposed on a hacker forum, creating significant cybersecurity and physical safety concerns weeks before the start of the 2026 FIFA World Cup.

The breach includes approximately 69,000 player profiles and 81,000 staff records, featuring passport copies, contracts, email addresses, and tournament registration files tied to Asian competitions. High-profile individuals potentially affected include Cristiano Ronaldo, Sadio Mané, and Aymeric Laporte, all currently playing for Al Nassr FC, a leading professional football club in Saudi Arabia.

The Asian Football Confederation, the governing body for football across Asia and Australia, oversees competitions and player registrations across the region. The exposed dataset reportedly contains detailed personal and professional information such as full legal names, passport numbers, dates of birth, nationalities, club affiliations, and match-related data.

The data surfaced on a known cybercriminal marketplace, where the individual responsible for the leak claimed links to the ShinyHunters group, a hacking collective associated with multiple extortion campaigns. Analysts assessing the breach indicate the actor appears to be leveraging the group’s reputation to enhance credibility, with financial gain identified as the primary motive.

The timing of the exposure heightens its potential impact. Several national teams under the AFC umbrella are set to compete in the 2026 FIFA World Cup, scheduled from June 11 to July 19 across the United States, Canada, and Mexico. The availability of detailed personal data, combined with publicly known travel schedules and accommodations during the tournament, increases the risk of targeted cyberattacks, fraud schemes, and potential physical security threats.

Security experts warn that the combination of verified email addresses, contract details, and identification documents creates a highly actionable dataset for phishing campaigns, financial fraud, and social engineering attacks targeting players, agents, and club officials.

Additional risks are expected to emerge during the summer transfer window, when negotiations involving player contracts, transfer fees, and endorsement deals intensify. The exposure of agent contacts and contractual data could enable sophisticated scams or manipulation attempts during this critical period in the football calendar.