Cyber security research experts have claimed Football Australia had data of ticket-buyers, players and other private documents leaked.
Subscribe now for unlimited access.
or signup to continue reading
In what has been described as a "critical data exposure incident", the sensational report was revealed by the independent Cybernews research team, based in Lithuania.
The researchers said Football Australia had "leaked secret keys potentially opening access to 127 buckets of data, including ticket-buyers' personal data and players' contracts and documents".
It found plain-text Amazon Web Services keys were left hardcoded into the HTML page of its subdomain and accessible, blaming human error. The keys allow access to data stored online.
"For example, one publicly accessible bucket contained personal details," Cybernews said in a statement.
"Moreover, one bucket did not even require authentication and contained personal information, contracts, and documents of football players."
Football Australia released a statement following the research being shared.
"Football Australia is aware of reports of a possible data breach and is investigating the matter as a priority," a statement read.
"Football Australia takes the security of all its stakeholders seriously.
"We will keep our stakeholders updated as we establish more details."
The data exposed, Cybernews claims, included personal identifiable information of players, internal infrastructure details, source code of the digital infrastructure, scripts of the digital infrastructure, and most alarmingly for the public, ticket purchase information.
"While we cannot confirm the total number of the affected individuals, as it would require downloading the entire dataset, contradicting our responsible disclosure policies, we estimate that every customer or fan of Australian football was affected," Cybernews said.
"The team could not pinpoint the exact amount of data exposed in the leak, as that would require violating strict whitehat researcher principles.
"The exposed data, including contracts and documents of football players, poses a severe threat as attackers could exploit this information for identity theft, fraud, or even blackmail."
Researchers believed a developer "likely inadvertently left a reference hidden in a script accessible to the public", which led to the leak.
Football Australia was in the process of investigating the claims on Thursday.
The governing body of soccer, futsal and beach soccer around the country is the latest major organisation to have its cyber security compromised, following infamous breaches affecting millions of Australian customers of Optus, Medibank, Latitude Financial and Dymocks.