In what is being described as the largest cybersecurity breach in the history of sports, the notorious hacking group ShinyHunters has claimed responsibility for stealing and leaking over 150,000 sensitive documents belonging to top football players, coaches, and high-ranking officials.
The breach, which was first detected on April 27, 2026, has sent shockwaves through the global football community just weeks before the start of the 2026 FIFA World Cup (scheduled for June 11).
High-Profile Targets and Sensitive Data
The leaked files reportedly include a vast trove of personally identifiable information (PII) and confidential corporate data. Among those affected are:
- Star Players: Names such as Neymar Jr., Son Heung-min, Lee Kang-in, and Mehdi Taremi have been identified in the leaked databases.
- Officials: The breach reportedly includes the personal files and diplomatic passport information of FIFA President Gianni Infantino.
- Organizations: The primary targets appear to be the Asian Football Confederation (AFC) and the Saudi Arabian club Al Nassr FC.
What Information Was Stolen?
According to cybersecurity analysts at Dataminr and UpGuard, the stolen data is highly structured and includes:
- Identity Documents: Passports (including diplomatic versions) and ID cards.
- Contracts: Professional player contracts and sponsorship agreements.
- Financial Records: Banking details and transfer documents.
- Communications: Internal emails and competition registration forms.
How Did It Happen?
The group ShinyHunters is known for sophisticated “identity-based” attacks. Initial investigations suggest they gained access through:
- Third-Party Vulnerabilities: Exploiting integrations used for player registration and transfer management.
- Social Engineering: Utilizing “voice phishing” and MFA (Multi-Factor Authentication) bypass techniques to hijack administrative accounts.
FIFA and AFC Response
While FIFA has not yet issued a formal statement on the specific details of the breach, the AFC has acknowledged an investigation into “unauthorized access to its digital assets.” Security experts warn that the leak of diplomatic passports poses a risk that extends beyond football, potentially impacting international security and diplomatic travel.
ShinyHunters: A Resurgent Threat
This attack is part of a broader 2026 campaign by ShinyHunters, who have recently claimed successful breaches against major entities like Vercel, Udemy, and ADT Inc. The group’s decision to target football just before a World Cup suggests a motive aimed at maximum publicity and high-stakes extortion.
Authorities are advising all football organizations to immediately audit their third-party integrations and reset credentials for all personnel involved in player management.
