Cybernews said up to 127 buckets of data including ticket buyers’ personal information, players’ contracts and documents had been left exposed due to human error.

The researcher said Football Australia had left plain-text Amazon Web Services (AWS) keys – including Secret keys – hardcoded into the HTML page of its subdomain.

“While we cannot confirm the total number of the affected individuals, as it would require downloading the entire dataset, contradicting our responsible disclosure policies, we estimate that every customer or fan of Australian football was affected,” the researchers said.

Cybernews said the cause was most likely human error with a developer accidentally leaving a reference hidden in code accessible by the public.

The researchers said personal nature of the information left exposed could be used for identity theft, fraud or blackmail – but it is yet to be confirmed if any outside source had accessed the data.

Football Australia issued a statement in response to the news.

“Football Australia is aware of reports of a possible data breach and is investigating the matter as a priority,” the statement read.

“Football Australia takes the security of all its stakeholders seriously.

“We will keep our stakeholders updated as we establish more details.”

More Coverage

‘Can’t go backwards’: FA boss rules out A-Leagues ownership

Erin Smith

Inside story: How the Matildas became our favourite team

Jamie Pandaram

Originally published as Football Australia investigating after player contracts, passports appear online