Personal data of hundreds of Asian football players exposed online

Hackers reportedly compromised the Asian Football Confederation to steal the personal records of over 150,000 members and published the data on the dark web, including details of celebrity footballers.

 

According to multiple news reports, the large-scale data leak involved protected personal information of about 150,000 members of the AFC, including players, administrators, coaching staff and other members. The data dump was leaked on the dark web by a threat actor in April.

 

A review of the compromised dataset revealed that it contained players’ full names, dates of birth, nationalities, scanned copies of their passports, registration documents, contracts and emails. The threat actor, who posted the data on the dark web, thanked the notorious ShinyHunters extortion group for obtaining the sensitive information.

 

It is unclear if the data was taken from the systems of the Asian Football Confederation or from a third-party vendor. The football federation is yet to comment on the data security incident.

 

The leaked dataset contained the personal information of several high-profile players, including Neymar, Son Heung-min, Lee Kang-in and FIFA President Gianni Infantino, as well as players associated with Al Nassr FC where Cristiano Ronaldo plays. 

 

Information obtained from the leaked dataset can enable skilled cybercriminals to mount targeted social engineering attacks to lure players, administrators and coaching staff to share their information, make payments or click on malicious links by using the upcoming football world cup in North America as bait.

 

A total of nine Asian teams have qualified for the FIFA World Cup 2026, including Australia, Iran, Japan, Jordan, Uzbekistan, Qatar, Saudi Arabia, and South Korea. The tournament will take place between June 11 and July 19 this year and will be hosted by the United States, Canada and Mexico.

 

News of the massive data leak comes not long after hackers compromised the French Football Federation’s club management software which is used by the governing body to register and administer players across multiple domestic leagues. 

 

The compromised database contained names, genders, dates and places of birth, nationalities, postal addresses, email addresses, phone numbers, and football license identification numbers. Hackers reportedly used a compromised account in November to gain access to the software which reportedly contained the details of more than 2.3 million license holders.