With the FIFA World Cup set to kick off in just two weeks, fans of the “beautiful game” are changing their passwords to ones that reflect their passion for soccer, leaving them open to hackers.
Pool A action gets underway with South Africa’s Bafana Bafana facing Mexico at Estadio Banorte in Mexico City at 9pm SAST, although punters are giving Bafana Bafana just a 13% chance of pulling off a win.
Internationally, fans are supporting names such as Argentina’s Lionel Messi, Vinícius Júnior from Brazil, Egypt’s Mohamed Salah and Bukayo Saka, along with Harry Kane from England – and changing their passwords to reflect their passion.
New research from Specops, a unit of dark web monitoring company Outpost24, found that Messi outranks Cristiano Ronaldo by a clear margin in one of the more unexpected matchups of the year: their frequency of appearance in breached password datasets.
Messi outranks Ronaldo
Based on a database of more than 6.4 billion breached passwords, Specops researchers found Messi appearing more than 1.2 million times, against Ronaldo’s roughly 923 000 occurrences, a difference of around 26%.
This list of compromised passwords coincides with the addition of 300 million newly-compromised passwords to Specops Breached Password Protection, sourced from the company’s honeypot network and threat intelligence feeds.
Specops says in a statement that the breakdown reveals a generational shift in the data. Five of the top 10 names (Junior, Saka, Pablo Martín Páez Gavira – known as Gavi – Alexander Isak, and Pedro González López who goes by Pedri) represent players who emerged in the past few years, while Salah and Kane represent the established stars.
“This mix suggests that password choices are not just legacy habits but reflect the players fans are watching now,” it notes.
In the top 10 widely supported clubs Roma is a clear favourite among soccer fans, with 5.3 million compromised passwords on Specops’ list. Roma is followed by FC Porto at 517 505.
Bafana Bafana, with the final squad announced yesterday, does not make an appearance in its findings.
P@sw00rd prevalence
At the beginning of this month, security company Kaspersky found that more than 50% of leaked passwords end with a number, and the “@” symbol appears in 10% of cases.
The findings point to persistent weaknesses in password behaviour, with users continuing to rely on predictable credentials even as attackers increasingly use AI-powered tools to exploit common security habits.
Kaspersky analysed 231 million unique passwords exposed in major leaks between 2023 and 2026, revisiting research first conducted in 2024 ahead of World Password Day on 7 May.
The security company expanded its original dataset with an additional 38 million real-world passwords shared on dark web forums by cyber criminals and found that 68% of passwords can be hacked within a day.
“60.2% of all analysed passwords – regardless of length – can be cracked in about an hour, while 68.2% can be cracked in a day. In addition, short passwords of up to eight characters are typically cracked in under a day,” Kaspersky says.
The security company also indicated that even longer credentials are not immune. “More than 20% of 15-character passwords are broken in less than a minute using AI-powered approaches,” notes the research.
Oops, I did it again
Kaspersky’s analysis found predictability remains a major weakness in password creation habits. According to the report, 53% of analysed passwords ended with digits, while 17% started with numbers.
“Nearly 12% of passwords include a numeric sequence that resembles a date (from 1950 to 2030) and 3% of leaked passwords include keyboard sequences like “qwerty” or “ytrewq”, but most of them are digital sequences like ‘1234’.”
The research also found users continue to rely on a narrow pool of familiar special characters. Among leaked passwords containing a single special character, the “@” symbol appeared most frequently at 10%, followed by the full stop at 3% and the exclamation mark.
Own goal
Specops notes that infostealer dumps confirm that pattern. Examples of real compromised passwords pulled from one of the largest recent dumps include:
- Cristianoronaldo7@@
- Cr7ronaldo@?
- zidaneisbetterthanmbappe1234
- lionelmessithebest10
- lionelmessithegoat10
- mrs_kylianmbappe
- kylianmbappeg04t
“A password like ‘Cr7ronaldo@?’ meets common complexity rules and feels secure, but if an attacker knows the user is a Ronaldo fan, the password becomes fairly predictable even before it is leaked,” says Specops.
“Attackers do not type passwords manually. They run wordlists through tools such as Hashcat or John the Ripper and apply rule-based mutations: appending years, swapping letters for numbers, adding symbols. Once a popular term lands in a wordlist, every plausible variation comes for free.”
Breached password datasets compound the problem, it says. “Each new leak of ‘Cr7ronaldo’ or a variant gets prioritised more aggressively in the next round of attacks, and users tend to reuse or only lightly modify passwords, so a football-themed credential compromised in one context can quickly become an entry point elsewhere.”
Share
