-
A dark web actor crediting ShinyHunters claims they leaked the complete AFC player and coach database, including passports, contracts, and registration records for over 150,000 individuals.
-
Several AFC nations and four Al Nassr FC players from European countries are heading to the World Cup, making this leaked data operational and dangerous right now.
-
Diplomatic passport scans found in the leak raise national security flags for multiple AFC member nations and FIFA’s tournament infrastructure.
Someone suspected to share ties with the notorious hacker group ShinyHunters claims they’d managed to breach the Asian Football Confederation (AFC) and had their hands on thousands of sensitive player records.
There’s speculation that this leak might be more than just an accident – that it’s actually a deliberate move to cause chaos at the 2026 FIFA World Cup, which of course kicks off on June 11, with a whole bunch of Asian teams competing.
The data dump apparently spills some pretty sensitive info, Player’s records are part of it, and diplomatic passports too. That turns this from a sports story into a potential national security concern.
A Massive Leak With Perfect Timing
In an April 27 post on a prominent cybercrime forum, a threat actor published a database allegedly stolen from the AFC and Al Nassr FC, is a top football club in Saudi Arabia. The actor gave credit to the popular hacking group ShinyHunters and even took a jab at rival football fan communities. That suggests they know football culture well and want extra attention.
Why the timing matters:
In a few weeks, the FIFA World Cup will start. And eight Asian countries that qualified will be there, Japan, Iran, South Korea, and Saudi Arabia inclusive. Interestingly, four Al Nassr FC players– Cristiano Ronaldo (Portugal), Marcelo Brozović (Croatia), Sadio Mané (Senegal), and Aymeric Laporte (Spain) – will be there too. These players’ confidential and private information being exposed in a data leak is something worth looking into.
The leaked data connects directly to World Cup travel and registration. FIFA shares player data with confederations like the AFC. So this breach could spread into FIFA’s own systems.
Details of the Leaked Info
The hacker claims they have 150,000 coach and player records. That includes full passport scans, verified emails, contracts, and competition forms. Some diplomatic passports are in there too.
Other records floating around include full legal names and dates of birth. There’s also passport numbers with actual scans, nationality and AFC IDs. Playing positions and jersey details are among. And even lub names, venues, and match dates.
Because World Cup squads use AFC registration channels, this isn’t old history. These records are current, verified, and tied to people whose travel plans are public news.
Implications of the Breach
Here’s a break down the real risks. First, financial fraud. Contract details show salaries, agent names, renewal dates, and transfer fees. Pair that with verified emails, and criminals can run incredibly convincing scams. They’ll pretend to be agents or club executives. They’ll ask for wire transfers, signing bonuses, or image rights payments. The post- World Cup transfer window will be a feeding ground for this kind of attack.
Second, identity fraud. With scans of passports, birth dates, and other important national info, criminals can open bank accounts in a victim’s name, apply for loan, or create fake IDs. Athletes with high net worths are often prime targets.
Possible Reasons for the Attack and Who’s Behind It
The attacker seems to be someone operating on forum level. They’re borrowing ShinyHunters’ scary reputation. That group is financially motivated and tied to the Scattered LAPSUS$ Hunters alliance. They’ve done large-scale theft and extortion before.
Money is the main driver here. But there’s also a show-off element. The theatrical post and the fan culture jabs point to some hacktivism or pure reputation damage motives.
Why the AFC and Al Nassr? Several reasons came together. The AFC had a passport forgery scandal in March involving Malaysia’s team. There have been VAR and governance fights at the AFC Champions League level. Al Nassr faced favoritism allegations tied to Saudi’s Public Investment Fund. Add in Gulf region tensions and a cooling Saudi sports investment climate that likely stretched security teams thin. Oh, and the World Cup’s global spotlight gives maximum embarrassment value.
What’s Next
Football organizations need to treat this as a sector-wide wake-up call. ShinyHunters doesn’t stop with one target. Any club or league holding athlete data is vulnerable right now.
First, audit where you store passport scans, contracts, and contact info. Check who has access. Unencrypted document stores are sitting ducks.
Second, lock down third- party integrations. Sports groups share data everywhere — registration platforms, transfer systems, competition tools. Each connection is a door. So, immediate action is crucial. Review vendor access. Enforce least privilege rules. And rotate API keys ASAP.
Third, protect financial workflows. Agents and finance teams must use out-of-band verification for any money instruction sent by email. With contract data in the wild, fake requests will look very real.
Fourth, treat the post-World Cup transfer window as a high-risk zone. That’s when massive money moves around. Verify every payment request twice.
Importantly, players and coaches need to be made aware of the risks, like what phishing is and how to detect it. The airline booking system breach claim serves as a parallel warning, whether you’re managing football player data or airline passenger records, the same principles apply: audit your data storage, lock down third-party integrations, and verify every sensitive request before acting.
Also educate them about identity fraud and social engineering. Every player should take financial account monitoring seriously and set up fraud alerts as well. This data is already circulating on the dark web, and there’s no going back; it’s a ready weapon for any criminal who gets a hold of it.
