Sensitive personal data belonging to more than 150,000 football players and staff linked to the Asian Football Confederation (AFC) and Saudi club Al Nassr has been leaked online, raising security concerns just weeks before the 2026 FIFA World Cup.
According to reports, the dataset includes passport scans, identification details, contracts, and verified email addresses tied to both players and coaches. The breach reportedly affects around 69,000 players and 81,000 staff members, making it one of the largest known incidents involving professional football data.
The exposed information goes beyond basic records. Leaked files are said to contain full legal names, passport numbers, dates of birth, nationalities, club affiliations, and tournament registration data linked to AFC competitions. These details are considered highly sensitive, particularly given their direct connection to identity verification and international travel.
The data was allegedly published on a cybercrime forum, where the threat actor claimed to possess a complete database of AFC players and coaches. The individual behind the leak referenced ties to the ShinyHunters group, though researchers suggest the actor may be leveraging the group’s reputation to increase credibility and financial gain.
Security analysts warn that the combination of passport data, contracts, and verified contact information creates a high-risk environment for targeted attacks. The dataset could enable identity fraud, phishing campaigns, contract manipulation, and social engineering attempts aimed at high-profile athletes, agents, and clubs.
The timing of the breach significantly increases its potential impact. Multiple AFC member nations are preparing to participate in the 2026 FIFA World Cup, meaning many affected individuals will be traveling internationally with publicly known schedules and locations. This overlap introduces not only financial and cyber risks but also potential physical security concerns.
Researchers noted that the leaked data is “operationally relevant,” indicating it could be actively used for exploitation rather than being outdated or incomplete. The presence of verified and structured records further increases its value in underground markets.
The incident highlights ongoing cybersecurity challenges in global sports organizations, where large centralized databases of personal and contractual information can become high-value targets. As major international events approach, such datasets become even more attractive to threat actors seeking financial gain or disruption.