Tens of thousands of Brazilian soccer fans have been exposed as a publicly-accessible cloud storage bucket leaked several gigabytes of data with sensitive information stretching back several years.
The leaky S3 bucket, investigated exclusively by ZDNet in partnership with Brazilian cybersecurity news website The Hack, was owned by Futebol Card, an online ticketing company that also provides member and loyalty program management systems to a number of major soccer clubs.
Personal data belonging to supporters of a number of Brazilian organizations was involved in the incident, but the vast majority of the individuals exposed are fans of São Paulo-based soccer team Palmeiras, one of the country's most popular and successful Brazilian clubs, with around 18 million supporters nationwide.
The 25GB sample analyzed contained a myriad of CSV files listing tens of thousands of names, contact details, dates of birth, marital status, social security numbers, payment method used for the membership subscription and even details such as shirt sizes and a log of comments fans made when signing up.
In addition, the bucket in question contained information from the MIFARE contactless cards used to access the stadia, such as individual codes and status of the card - whether it had been generated, received by the user, or canceled.
Considering the vast amount of spreadsheets involved in the sample and the likelihood names might appear more than once in the files, it was not possible to estimate the exact amount of soccer fans impacted.
However, one of the reports in the analyzed sample had 44,000 active members and 9,700 inactive supporters, for reasons that could include outstanding membership payments. Numbers from a fiscal watchdog for Palmeiras suggest the club's base has about 67,000 season ticket holders, of which 60,000 pay their membership fees regularly.
In addition, the unprotected server had a folder with several graphic materials used for marketing campaigns, including CSS style sheets and high-resolution images. Along with the personal information available on the spreadsheets, the graphic material could provide cybercriminals with a handy set of tools to create highly credible phishing campaigns under the guise of online marketing.
Futebol Card was notified of the leaky bucket on January 30 and rectified the issue the day after, even though it is not known how long the records were exposed for and how many people have accessed the information until the problem was solved.
The website and Avanti Palmeiras, the membership scheme of Brazilian soccer club Palmeiras, did not respond to requests for comment at the time of publication.