- Previous breach data shows over 1.1 million football-related passwords
- ExpressVPN found that nearly 1 in 4 soccer fans use this information in their logins
- Experts urge to delete any sports references from account login details
As the FIFA World Cup kicks into high gear, millions of fans are showing their loyalty online. While you may already be using the best VPN to secure your browsing, ExpressVPN – now an official supporter of the 2026 tournament – warns that this very public fandom could translate into a major cybersecurity vulnerability.
In a new research report, cybersecurity researcher Jeremiah Fowler partnered with ExpressVPN to investigate how football obsession affects our password choices. The findings suggest that fans are openly giving hackers the keys to their digital lives by using highly predictable phrases.
Fowler’s analysis of historical data breaches revealed more than 1.1 million football-related passwords. Words like “soccer” along with massive club names like “Liverpool”, “Chelsea”, “Arsenal” and “Barcelona” appeared repeatedly throughout the dataset.
Because fan loyalty is incredibly public, across social media profiles, usernames and group chats, these passwords are far easier to crack than a random string of characters.
“As a cybersecurity researcher, I’ve seen criminals target people through the interests they most openly share,” Fowler explained. “A club name, player’s nickname, shirt number, stadium, city or tournament year may look innocuous on their own, but together these details can help someone guess how a fan might build a password or craft a message they’re more likely to trust.”
An open target for cybercriminals
To determine whether this behavior remains common today, ExpressVPN surveyed 6,000 soccer fans in six countries. The results confirm that poor password hygiene is still widespread.
Almost one in four fans surveyed admitted to using football-related information to secure an account.
Among these fans, the most common choices included their favorite team names, player names or nicknames, and jersey numbers. These easily searchable statistics are exactly what malicious actors are looking for when compiling custom dictionaries to breach an account.
The fans themselves are surprisingly aware of the risk. In the US, a massive 73.1% of those who used football-themed passwords acknowledged that someone familiar with their sporting interests could probably guess their login.
This vulnerability is exacerbated by the fact that many fans are already putting their digital privacy at risk through other careless online behavior during the tournament.
How to protect your accounts
Using a weak password becomes disastrous when you consider password reuse. According to Aaron Engel, Chief Information Security Officer at ExpressVPN, the habit of using the same login across multiple services is what turns a small breach into a full-scale privacy crisis.
“Password reuse is what allows a compromised credential to become a broader account security problem,” Engel warned.
He also noted that fans who share streaming logins put their personal data at further risk: “Password sharing increases the number of people and devices that may have that password; by doing so, users put their security in the hands of others. Multi-factor authentication doesn’t negate reuse, but it can prevent a stolen password from being enough on its own.”
If you want to be safe while streaming the tournament, you should immediately remove all sports references from your logins. Instead, use a dedicated password manager to generate complex, unique credentials for each account.
It’s also a good time to make sure your overall connection is encrypted, especially if you’re wondering if you should use a VPN to watch the VM.
Just keep in mind that new ExpressVPN users still have a chance to win a premium ticket to the World Cup, but you won’t get its usual 30-day money-back guarantee.
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds. Be sure to click the Follow button!
