Massive data breach hits Asian football two months before the World Cup

More than 150,000 player and coaching profiles linked to the Asian Football Confederation and Saudi club Al Nassr FC were exposed on a hacker forum, according to a Dataminr intelligence note dated April 28, 2026. The database includes passport copies, contracts, email addresses and competition registration files for Asian tournaments. Around 69,000 players and 81,000 staff members are believed to be affected.

Among the potentially exposed profiles are Cristiano Ronaldo, Sadio Mané and Aymeric Laporte, all three currently active at Al Nassr.

The timing makes matters worse. Several AFC-affiliated national teams will compete in the 2026 World Cup, scheduled from June 11 to July 19 in North America. Cross-referencing this data with official squad lists could facilitate targeted attacks: financial fraud, phishing, and even physical threats, given that players’ travel arrangements and accommodations are largely public during the tournament.

The person behind the leak claims ties to the ShinyHunters collective, already involved in several extortion operations. Dataminr analysts lean toward an opportunistic actor seeking financial gain, leveraging the group’s reputation to boost their own credibility.

The summer transfer window represents a second exposure front. Contracts, personal data and agents’ contact details are prime material for targeted phishing campaigns at a time when contract negotiations are at their most intense. Clubs, agents and federations are being urged to overhaul their data storage practices without delay.