FIFA World Cup™ is here. Get your VPN 80% off

FIFA World Cup™ is here.
Get your VPN 80% off

Claim Now
Wc2026 Mobile
  • A single file exposed more than 22,000 football fan accounts
  • A sports travel database showed how far fan data can spread
  • More than 1.1 million breached passwords included football terms
  • 71.7% of U.S. fans reuse a password or variation somewhere else
  • How football fans can lower the risk
  • Methodology
  • A single file exposed more than 22,000 football fan accounts
  • A sports travel database showed how far fan data can spread
  • More than 1.1 million breached passwords included football terms
  • 71.7% of U.S. fans reuse a password or variation somewhere else
  • How football fans can lower the risk
  • Methodology

Why your favourite football team could be your biggest cybersecurity threat

ExpressVPN news 23.06.2026 10 mins
Jeremiah Fowler
Written by Jeremiah Fowler
Sonja Raath
Edited by Sonja Raath
image2

As the FIFA World Cup 2026™ gets underway, cybersecurity researcher Jeremiah Fowler’s independent findings on exposed football fan data show why ExpressVPN’s latest survey matters: fans are using clubs, players, and shirt numbers in passwords, while password reuse remains widespread.

Key findings: 

  • Fowler found a publicly accessible file containing more than 22,000 football fan accounts: During his independent research, cybersecurity researcher Jeremiah Fowler identified a database tied to a major Spanish football club. One XML file contained 22,608 accounts, including names, geolocations, and email addresses.
  • Fowler also discovered exposed sports travel data: A separate publicly accessible database belonging to a UK-based sports travel agency contained customer details including home addresses, phone numbers, dates of birth, nationalities, hotel names, and matches attended.
  • ExpressVPN’s survey shows that football interests shape password choices: Among fans who had used football-related information in a password, 73% of U.S. respondents said someone familiar with their football interests could guess one. This was followed by 63% in Australia, 56% in the UK, 54% in France, 53% in Germany, and 47% in Spain.
  • Historical breach research found football terms in more than 1.1 million passwords: A 2021 Authlogics analysis identified football-related terms, including “Football,” “Liverpool,” “Chelsea,” “Arsenal,” and “Barcelona” in historical password data.
  • ExpressVPN’s survey highlights widespread password reuse: In the U.S., 71.7% of surveyed fans said they use the same password or a close variation on at least one other account. Among all U.S. fans who had shared a password so someone else could watch sports, 65% said that password was also used for another account, such as email, shopping, or banking.

For most football fans, a favorite club or player is more than a hobby. It becomes part of how they’re known, in shirts, scarves, group chats, social profiles, forum handles, email addresses, and, for some, the passwords they choose because those details are personal and easy to remember.

ExpressVPN’s latest survey of football fans across six countries suggests that the habit is widespread. Nearly one in four respondents had used football-related information in a password. Among those fans, 73% in the U.S. said someone familiar with their football interests could guess one of their passwords. The figure was 63% in Australia, 56% in the UK, 54% in France, 53% in Germany, and 47% in Spain. The survey was commissioned by ExpressVPN and conducted separately from the database research in this report, which I carried out independently.

Image7

As a cybersecurity researcher, I’ve seen criminals target people through the interests they share most openly. Football gives them a useful starting point because fan loyalty tends to be public, specific, and long-lasting. A club name, player nickname, shirt number, stadium, city, or tournament year may look harmless on its own, but together those details can help someone guess how a fan might build a password or craft a message they’re more likely to trust.

In my independent research, I found football-related information that had been left publicly accessible by organizations and services fans had trusted with their data. Records like these can give criminals additional details to combine with the information supporters already share openly.

Modern cybercriminals don’t always need advanced tools to start an attack. They often gather fragments of personal information from different sources and use them to build a clearer picture of a target. During the FIFA World Cup 2026™, messages about tickets, travel, merchandise, streaming access, and account updates give scammers a timely and plausible reason to make contact. Details from exposed fan records can make those messages considerably more convincing.

A single file exposed more than 22,000 football fan accounts

One publicly accessible database I found was tied to a major Spanish football club. An XML document contained 22,608 individual accounts, including names, geolocations, and email addresses. Some of the entries used football-related names that reflected how closely fan identity and club identity can overlap online.

I reported the finding to the organization, and the file was restricted or removed shortly after disclosure. It is no longer publicly accessible.

Image4 2

A redacted account record from the exposed database included an email address incorporating the name “Leo Messi,” showing how football identity can appear in fan account data.

Another file in the same database, named “tickets,” contained a support message from a user who had entered their full credit card number, name, email address, and phone number while trying to resolve a ticketing issue. 

Image1 3

A redacted support message from a file labelled “tickets.” The user had included their full card number, name, email address, and phone number while trying to resolve a ticketing issue. All personal and financial details have been obscured.

Even without evidence of misuse, that kind of exposed information shows how much sensitive data can accumulate around football accounts and services.

I’m not implying that any fans were harmed or that the data was accessed by anyone else. I also can’t know how long the files were exposed without an internal audit by the organization. What the finding shows is that football fan data can end up in places supporters never see, tied to accounts, purchases, and support channels they have every reason to trust.

Considered alongside my findings, the results of ExpressVPN’s survey in Spain are particularly striking. Nearly one in three Spanish football fans, 30.8%, said they had used football-related information in a password. The most common details were player shirt numbers, at 11.6%, favorite team names, at 9.9%, and player names or nicknames such as “Messi” or “Ronaldo,” at 8.6%. When account data already contains names and email addresses, password habits like those can give attackers a more useful starting point.

A sports travel database showed how far fan data can spread

The club finding wasn’t the only exposed football-related data I came across. I also found a publicly accessible database belonging to a UK-based travel agency that specializes in sports packages. The database contained hundreds of spreadsheet files with customer information, including home addresses, phone numbers, email addresses, dates of birth, nationalities, hotel names, and matches attended.

I sent a responsible disclosure notice to the travel agency, and public access was restricted shortly afterwards. The files are no longer accessible. The fields inside those spreadsheets were more detailed than a basic account list and could have been useful to criminals trying to write convincing messages about travel plans, match attendance, hotel stays, or ticket purchases.

Image3 4

A redacted screenshot from the exposed sports travel database I found during this research. The files included customer details connected to sports packages, including contact information, dates of birth, hotel information, and matches attended.

Football data doesn’t only live with clubs. It moves through ticketing providers, travel companies, merchandise stores, supporter platforms, apps, and third-party services built around major sporting events. Fans may think of these as separate accounts, but criminals often treat exposed information as pieces of the same profile.

More than 1.1 million breached passwords included football terms

Football-related passwords have appeared at scale in historical breaches. A 2021 password security analysis by Authlogics reviewed more than 1 billion unique clear-text passwords compiled from multiple previous data breaches. Researchers identified more than 1.1 million passwords linked to football-related terms.

The most common football-related password was “Football,” which appeared 353,993 times. It was followed by “Liverpool” at 215,842, “Chelsea” at 172,727, “Arsenal” at 151,936, and “Barcelona” at 131,090. Those numbers matter because they show that football terms are not rare edge cases in password data. They are part of a long-running pattern.

Image6 1

In early 2026, I discovered a separate exposed database containing 198 million logins, emails, usernames, and passwords. The database included 48 million Gmail accounts, 4 million Yahoo accounts, 1.5 million Outlook accounts, 900,000 iCloud accounts, and 1.4 million .edu email accounts. I didn’t search that database for football-related keywords, but it gave me a useful view of how many real-world passwords are structured.

Around 85% of the passwords I reviewed in that sample were dominated by human-memorable constructions, while only around 15% could be classified as complex. Many followed a familiar pattern: a name or word combined with numbers and a single special character. 

Passwords in the style of “Chelsea2026!” or “Ronaldo7@” may feel personal and strong enough, but the structure is predictable.

ExpressVPN’s survey suggests that football-linked password habits appear across all six markets surveyed. Among respondents who had used football-related information in a password, U.S. and Australian fans were the most likely to say someone familiar with their interests could guess one. Large shares of football-password users in the UK, France, Germany, and Spain said the same. The problem is not limited to one country or one club.

71.7% of U.S. fans reuse a password or variation somewhere else

A football-themed password becomes more consequential when the same password, or a close variation, appears on other accounts.

ExpressVPN’s survey found that 71.7% of U.S. fans use the same password or a close variation on at least one other account. The figure includes respondents who said they reuse passwords on only “very few” accounts. Counting only those who reuse passwords across some, most, or all of their accounts produces a lower U.S. figure of 53.9%.

The broader pattern was similar across the six countries surveyed. France recorded 73.7%, followed by the UK at 73.3%, Spain at 72.5%, the U.S. at 71.7%, Germany at 71.1%, and Australia at 66.6%.

Image5 1

Password sharing adds another route through which a credential can travel. Among U.S. fans who had shared a password so somebody else could watch sports, 65% said that password was also used for another account, such as email, shopping, or banking. The figure was 47.4% in France, 43.7% in the UK, 38.1% in Germany, 36.9% in Australia, and 34.8% in Spain.

The survey doesn’t show that sharing a password automatically gives somebody access to those other accounts. Different usernames, multi-factor authentication, passkeys, and other safeguards may still stand in the way. It does show that a password given to somebody for one purpose may remain part of the account holder’s wider digital life.

That’s what makes football details useful to attackers. A club name, player number, or tournament year can help shape the first guess. Password reuse can make a correct guess matter far beyond football.

How football fans can lower the risk

Football fans are often loyal to the same club for years, sometimes for life. That makes their interests easier to predict, but it does not have to make their accounts easier to compromise. I would advise fans to start with the accounts that matter most, especially email, banking, ticketing, travel, shopping, and social media. Then: 

  • Take football out of your passwords: Avoid using club names, player names, shirt numbers, stadium names, supporter nicknames, tournament years, or any football-related phrase in a password. These details may feel personal and memorable, but that is exactly what makes them predictable.
  • Use a unique password for every account: Reusing a password is one of the easiest ways to turn one exposed account into a much larger problem. A password manager like ExpressKeys can help generate and store passwords that do not rely on personal details.
  • Turn on multi-factor authentication: MFA is especially important for email, banking, ticketing, and social accounts, because those are often used for password resets, payment fraud, or impersonation. It will not stop every attack, but it can prevent a stolen or guessed password from being enough on its own.
  • Treat World Cup messages with caution: Be careful with emails, texts, or social posts tied to tickets, merchandise, travel updates, account verification, or exclusive tournament offers. Buy tickets, merchandise, and travel packages only through official channels, and avoid entering personal or financial details through unexpected links.
  • Act quickly if something looks wrong: If you suspect an account has been compromised, change the password immediately and contact the official service provider. Check whether the same password was used anywhere else, then replace it on those accounts too.

Methodology

Jeremiah Fowler’s independent research: The database research described in this article was conducted independently by Jeremiah Fowler in early 2026 as part of ongoing work into publicly exposed databases and cybersecurity risk. All findings were responsibly disclosed to the affected parties before publication.

ExpressVPN survey: This survey was commissioned by ExpressVPN in May 2026 in collaboration with online market research provider Pollfish. The survey included football and soccer fans across the United States, the United Kingdom, France, Germany, Spain, and Australia, with 1,000 respondents surveyed in each market. All respondents identified as football fans who follow the sport closely or casually.

ExpressVPN is a proud Official Supporter of the FIFA World Cup 2026™

Take the first step to protect yourself online. Try ExpressVPN risk-free.

Get ExpressVPN
Content Promo ExpressVPN for Teams
Jeremiah Fowler

Jeremiah Fowler

Jeremiah Fowler is an experienced cybersecurity researcher, journalist, and privacy advocate. With over a decade in the field, he has uncovered and responsibly reported some of the largest data breaches and has helped protect the personal data of millions of individuals, companies, and governmental organizations worldwide. His commitment to privacy, transparency, and data protection are reflected in his reporting and offering real world examples of why data privacy is important and how companies and individuals can be aware of potential risks.

  • RELATED POST
  • MORE FROM THE AUTHOR
Survey: 1 in 5 football fans admit to sharing passwords - putting their accounts at risk
Survey: 1 in 5 football fans admit to sharing passwords - putting their accounts at risk
ExpressVPN 23.06.2026 15 mins
A sixth model joins ExpressAI, bringing video analysis to the platform
A sixth model joins ExpressAI, bringing video analysis to the platform
Sonja Raath 11.06.2026 3 mins
ExpressVPN joins the FIFA World Cup 2026™ as an Official Supporter 
ExpressVPN joins the FIFA World Cup 2026™ as an Official Supporter 
Sonja Raath 10.06.2026 3 mins
Survey: The 2026 World Cup Wi-Fi trap—how a familiar venue name fools 7 in 10 football fans
Survey: The 2026 World Cup Wi-Fi trap—how a familiar venue name fools 7 in 10 football fans
ExpressVPN 09.06.2026 12 mins
ExpressVPN’s Apple TV app just got easier to use
ExpressVPN’s Apple TV app just got easier to use
Sonja Raath 03.06.2026 2 mins
Celebrities’ and influencers’ private communications exposed in stalkerware data breach
Celebrities’ and influencers’ private communications exposed in stalkerware data breach
Jeremiah Fowler 30.04.2026 8 mins
Department stores and online retailers exposed in AI chatbot logs and audio recordings data leak
Department stores and online retailers exposed in AI chatbot logs and audio recordings data leak
Jeremiah Fowler 17.03.2026 6 mins
Password security: What changed from 2015 to 2025
Password security: What changed from 2015 to 2025
Jeremiah Fowler 06.03.2026 9 mins
149M Logins and Passwords Exposed Online Including Financial Accounts, Instagram, Facebook, Roblox, Dating Sites, and More.
149M Logins and Passwords Exposed Online Including Financial Accounts, Instagram, Facebook, Roblox, Dating Sites, and More.
Jeremiah Fowler 23.01.2026 9 mins
Popular AI Generator Exposed Over One Million Images Including DeepFakes and Nudify Face Swaps
Popular AI Generator Exposed Over One Million Images Including DeepFakes and Nudify Face Swaps
Jeremiah Fowler 05.12.2025 7 mins

ExpressVPN is proudly supporting

Get Started