A serious vulnerability in FIFA's Microsoft Entra system allowed an ethical hacker, known as 'BobDaHacker', to access critical systems controlling World Cup broadcasts. On June 14, 2026, they exposed weaknesses in FIFA's access control that could have led to severe disruptions, including altering live broadcast content and altering match data.
Despite successfully reporting the issue through agencies like CISA and the FBI, FIFA lacked a proper security disclosure policy, highlighting weaknesses in their cybersecurity practices. The incident underscores the importance of robust server-side access controls, as many companies, including FIFA, rely heavily on client-side checks that can easily be bypassed.