An ethical hacker known as BodDaHacker, who presents herself as somebody who looks for security vulnerabilities and then reports them responsibly to help make the internet safer, claims to have found an incredible security breach in FIFA's World Cup services. Anyone who found that with malicious intent could have altered or disrupted the entire broadcast of the competition.
The hacker first registered in the FIFA Agent Platform, a public portal where anybody can (or could) enter to become a licensed football agent. She was easily able to bypass the client-side guards and landed in the Streaming Management panel, where she found the live production Streaming Management panel, with buttons to start, stop, schedule for all camera angles.
If an attacker found a way into that place, they could have easily stopped broadcast of the match worldwide, or even replace the camera feed with anything else. "An attacker could have Rickrolled the entire FIFA World Cup. Or played Subway Surfers gameplay. Live. On every TV network worldwide. During an active match."
But there's more: she easily got into other key parts of FIFA's media infrastructure, such as the full live match dashboard, match officials data, and even the commentator information system, a dashboard which commentators see during live matches, where they can see information they later share with their audience.
"An attacker could:
Modify editorial commentary notes and publish them to broadcast systems
Adjust the official kick-off moment
Send tactical lineup data
Change scores and match statistics
This data feeds into the Commentator Information System and gets displayed on live television.
"
The hacker couldn't contact FIFA, and then was not thanked or acknowledged in any way
The ethical hacker posted images on her blog to prove her findings, but she didn't alter anything. She tried to contact FIFA to warn them, and said it was the "most stressful night of her life", at 3 AM in Tokyo. She failed to contact FIFA via email, phone, media line, even the WhatsApp number of the Head of Football Technology & Data at FIFA, Sebastian Runge, found on LinkedIn.
She only got lucky contacting MediaKing, the streaming infrastructure that hosts the competition; with Cybersecurity and Infrastructure Security Agency (CISA), the federal lead on cybersecurity for the FIFA World Cup 2026; and even with an FBI contact, all of whom contacted FIFA. She wasn't able to warn FIFA herself.
Hours later, the issue was solved, but she claims she hasn't received any contact from FIFA acknowledging the breach, thanking her or to discuss compensation. "When a researcher has to call CISA and the FBI to reach you, something is wrong", said the hacker.