AFC Ajax — 300,000+ fan accounts exposed via misconfigured API access control; Dutch suspect arrested

The Dutch National Police arrested a 35-year-old over the breach of AFC Ajax's fan app, in which misconfigured API access control and shared keys exposed 300,000+ accounts and 42,000 season-ticket records (2026-05-28). Two things make this instructive for this audience: the root cause is a textbook broken-object-level-authorization / over-shared-credential failure in a mobile-app back end — the class of defect that automated DAST and an API-inventory review catch cheaply — and the rapid arrest is a reminder that these cases do sometimes attribute to an individual rather than an organised crew. Re-audit API authorization on customer/citizen-facing apps for object-level checks, and retire shared API keys in favour of per-client credentials.