The passports and personal details of more than 150,000 AFC and Al Nassr FC players and coaches were leaked online by a hacker claiming links to ShinyHunters – raising major security concerns only weeks before the start of the 2026 FIFA World Cup Games.

The threat actor claims to have dumped the “complete AFC players and coaches database” on the PwnForums hacker marketplace over the weekend, including player and staff data tied to clubs such as Al Nassr FC, according to a Dataminr intel brief published Monday.

The AFC, short for the Asian Football Confederation, oversees football across Asia and Australia.

Al Nassr FC is one of Saudi Arabia’s highest-profile football clubs, with a roster that includes global superstars Cristiano Ronaldo (Portugal), Sadio Mané (Senegal), Marcelo Brozović (Croatia), and Aymeric Laporte (Spain).

“The combination of passport scans, verified email addresses, and player contract data creates a highly actionable package for financial fraud, contract manipulation, and targeted social engineering against some of the world’s highest-earning athletes,” said Jeanette Miller-Osborn, Field Cyber Intelligence Officer at Dataminr.

Passports, IDs, and player records exposed

Posting several samples of the stolen files on PwnForums, the hacker claims to have a massive amount of sensitive information stored by the governing body, including passports, contracts, emails, and AFC Champions League Elite registration records.

Other detailed information included in the leaked data is full legal names, passport numbers and scans, dates of birth, nationalities, player positions, AFC IDs, club names, match details, and venue information.

A total of 69,000 players and 81,000 coaches are said to have been compromised.

The breach takes on new significance as multiple AFC member nations are set to compete in the 2026 FIFA World Cup, which runs from June 11th to July 19th across Canada, Mexico, and the US, with South Korea playing on kick-off day.

Other competing AFC member nations include Japan, Australia, Iran, and Saudi Arabia.

Interestingly, the threat actor credited the notorious ShinyHunters extortion group with helping to facilitate the leak post, labeling their handiwork as “the largest breach in football history.”

Meantime, Dataminr has described the hacker as “a forum-level operator leveraging the credibility of ShinyHunters,” further attributing their motivation as “primarily financial.”

“While a personal jab referencing rival football fan communities suggests the actor is embedded in football fan culture and may be baiting public controversy, the possession and release of this data creates a narrow but serious physical security consideration ahead of the World Cup," Miller-Osborn says about the threat actor.

The Dataminr blog also confirms the compromised data to be “live, verified, and operationally relevant right now.”

World Cup raises stakes

Dataminr warns the exposed records could lead to serious identity fraud and security risks for players, agents, clubs, and legal teams – and even raise potential national security concerns across multiple AFC member nations.

“The overlap between leaked AFC registration data and active FIFA tournament rosters, once submitted, ties the records to individuals whose movements, accommodations, and schedules are publicly known for the duration of the tournament," Miller-Osborn says.”

“This creates a narrow but serious physical security consideration alongside the cyber and financial risks,” she added.

Furthermore, the risk could become more urgent after the World Cup, when the summer transfer window opens, as football clubs, agents, and players negotiate major contracts, including signing bonuses, image rights payments, and transfer fees.

Dataminr is warning clubs, leagues, federations, and commercial partners to review how they store athlete data, harden third-party integrations, rotate exposed credentials, and prepare for possible follow-on phishing attempts.

---

Unlock more exclusive Cybernews content on YouTube.