802,000 accounts stolen during the World Cup leaked: the dark side of sports streaming
Cybercriminals exploit World Cup fever to steal and sell credentials of 12 million accounts on the dark web, valued at $220 million.
July 18, 2026 · 4 min read
TL;DR: Cybercriminals published 802,000 stolen accounts from streaming services during the World Cup. In total, 12 million credentials are on the dark web, valued at $220 million. Users should change passwords and enable two-factor authentication.
What happened?
On June 27, the last day of the World Cup group stage, HUMAN Security Satori Threat Intelligence detected the publication of 802,000 stolen accounts on the dark web. These credentials belong to 10 streaming services broadcasting the matches. In total, over 12 million compromised accounts are circulating, with an estimated black market value of $220 million. The data, obtained through credential stuffing and phishing techniques, includes usernames, emails, and passwords in plain text or with weak hashing. According to HUMAN Security, the attack focused on popular services such as ESPN+, DAZN, Sky Go, and local platforms in countries like Brazil, Argentina, and Mexico. The massive publication occurred on dark web forums like Exploit.in and Russian Market, where cybercriminals sell batches of credentials at prices ranging from $10 to $50 per account, depending on age and verification.
Why is it important?
Live sports events are a magnet for cybercriminals. The urgency to watch matches leads many users to neglect security: they reuse passwords, use public WiFi networks, and download unofficial apps. This attack demonstrates that streaming platforms are also vulnerable and that stolen data can be used for financial fraud, identity theft, or credential stuffing attacks. In particular, credential stuffing — where attackers test stolen credentials on other services like banks or social media — poses a systemic risk. According to a 2023 Akamai report, 34% of global credential stuffing attacks are related to live sports events. Additionally, the $220 million value is calculated based on the average price of a verified streaming account on the black market (about $18), but the potential damage is much greater considering access to accounts linked to payment methods.
Consequences for companies, users, and the market
- For users: Risk of identity theft, unauthorized charges, and loss of service access. It is recommended to change passwords and enable two-factor authentication. Additionally, users should review their bank statements for suspicious transactions, as many streaming accounts have associated credit cards.
- For streaming platforms: Reputational damage and potential lawsuits for security negligence. They will need to invest in intrusion detection systems and user education. Some platforms, like DAZN, have already implemented mandatory two-step verification, but others still rely on weak passwords. The mitigation cost for a medium-sized platform can exceed $5 million, including user notifications, mass password resets, and security audits.
- For the market: Increased demand for dark web monitoring services and cyber insurance. Streaming companies may face higher operational and regulatory costs. For example, in the European Union, the General Data Protection Regulation (GDPR) imposes fines of up to 4% of annual turnover for breaches. Additionally, the global cyber insurance market is expected to grow 25% year-over-year, reaching $20 billion by 2027, driven by incidents like this.
Lessons learned and historical context
This is not the first time a massive sports event has triggered a wave of cyberattacks. During the Tokyo 2020 Olympics, 450 million cyberattack attempts were recorded, according to security firm Trend Micro. During the 2018 World Cup, over 2 million stolen credentials related to streaming services were detected, but the current figure is six times higher. At the 2024 Super Bowl, a similar attack compromised 1.5 million accounts of services like Hulu and YouTube TV. However, the scale of this incident, with 12 million compromised accounts, makes it the largest sports streaming credential theft in history. Comparatively, the 2021 LinkedIn breach exposed 700 million records, but in the sports streaming realm, this attack surpasses even the 2021 Twitch platform breach, which affected 125,000 accounts.
“Cybercriminals exploit the excitement of the moment to fish for data. Security must be part of the fan's ritual,” warns a HUMAN Security analyst.
The modus operandi is similar to previous attacks: attackers use bots to test credentials leaked from other breaches (such as Collection #1-5, which contained 2.2 billion credentials) against streaming services. They also employ targeted phishing techniques, sending fake emails with free streaming offers or account updates. Once they gain access, attackers can resell the accounts or use them to launch credential stuffing attacks on other sites.
What should readers know?
If you used streaming services to watch the World Cup, change your passwords immediately. Do not use the same password on multiple sites. Enable two-factor authentication. Be wary of free streaming offers or unofficial apps. And remember: your passion for football should not put your digital security at risk. Additionally, consider using a password manager and monitoring your accounts with services like Have I Been Pwned. For companies, it is crucial to implement measures such as anomaly detection in logins, rate limiting, and continuous user education on phishing. Collaboration with threat intelligence teams, like HUMAN Security's Satori, can help identify and mitigate attacks before they materialize.