Back to Insights
Threats4 min read12 July 2026

Argentina's Football Association Email Account Hijacked After World Cup Win Over Egypt

Someone broke into an AFA official inbox and sent journalists fabricated claims that Argentina's 3-2 comeback victory was fixed. The association says it sent nothing.

t2s
train2secure NewsdeskSecurity awareness team
A dimly lit server room with a single glowing computer monitor displaying an open email inbox, a padlock lying open on t

The Argentine Football Association (AFA) confirmed in 2025 that at least one of its official email accounts was accessed without authorisation, and that fraudulent messages were dispatched from it to journalists covering the FIFA World Cup.

What the fake emails said

Argentina trailed Egypt 2-0 before staging a three-goal comeback to win. Extraordinary match. Then, shortly after the final whistle, journalists began finding messages in their inboxes that appeared to originate from an AFA institutional address.

The content was pointed. The messages claimed Argentina had not legitimately won, attributed the result to corrupt refereeing, and praised Egypt's performance. French referee Francois Letexier was already under scrutiny: the Egyptian Football Association had separately written to FIFA asking that he be removed from the tournament, alleging he favoured Argentina. The emails landed squarely into that live controversy.

The AFA moved quickly to distance itself. In a public statement the association said it had "detected the possible sending of emails from one of our institutional accounts that were not generated or authorised by our team." Sources close to the organisation told Argentine outlet La Calle that hackers of Egyptian origin were believed to be responsible. No individual or group has been publicly named. No arrests have been announced.

How an official inbox gets taken over

This failure pattern is depressingly familiar to anyone working in identity security. Email accounts, including shared institutional ones used by large sports governing bodies, are only as secure as the weakest credential attached to them.

The three most common entry points are reused passwords, credentials harvested through phishing, and accounts that have never been enrolled in multi-factor authentication (MFA). Any one of those three gaps is enough. A single staff member who clicks a convincing phishing link, enters their credentials on a fake login page, and never gets an MFA prompt to alert them that something is wrong hands an attacker a fully functioning inbox. The attacker can then compose and send whatever they like, from a legitimate address, with no visible warning signs for recipients.

The Verizon 2024 Data Breach Investigations Report found that stolen credentials were involved in 77 percent of web application breaches, and that phishing remains one of the top three action varieties across all confirmed breaches. Those numbers have been stubbornly consistent for years. The AFA incident fits the pattern precisely.

MFA is not a silver bullet, but it raises the cost of account takeover substantially. Without it, a correct password is all an attacker needs. With it, the attacker must also defeat a second factor, a time-sensitive code, a push notification, a hardware key. Most opportunistic attackers walk away when they hit that wall.

The shared-inbox problem nobody fixes until it breaks

Shared team inboxes are a specific liability that organisations routinely ignore. Multiple staff members holding the same credentials, no clear ownership of who rotates the password, no audit log of who sent what. That setup works fine until the day it does not.

Security-awareness training is directly relevant here. If the account was taken over via phishing, the moment of failure was a human one: someone read a deceptive email and complied with it. Training staff to recognise phishing attempts before they click is one of the cheapest, most evidence-backed controls an organisation can put in place. The AFA's own post-incident advice to journalists, delete the message, do not click links, do not enter personal details if prompted, is exactly the guidance that should have been circulating internally before the tournament began.

For recipients of the fraudulent emails, the practical steps are simple. Delete the message. Treat any links inside it as hostile. If you entered credentials or personal information because the email appeared official, change your passwords immediately and notify your IT or security team.

What defenders should take away

The AFA incident is a useful case study in how account takeover attacks serve goals beyond financial theft. Here the apparent motive was reputational and political, using a trusted sender address to inject disinformation into a live news cycle. That use of compromised institutional accounts to spread false narratives is a growing tactic. It costs almost nothing once the account is in hand, and it exploits the implicit trust recipients place in recognised sender addresses.

Organisations that manage communications accounts tied to high-profile events, sports federations, press offices, government agencies, need to treat those inboxes as high-value targets, not administrative utilities. The controls required are not exotic. Strong unique passwords, MFA on every account, phishing-resistant authentication where possible, regular credential audits, and staff trained to spot social engineering attempts.

You can review how these controls map to recognised frameworks at the Train2Secure standards page, which covers NIST, ISO 27001, and Cyber Essentials requirements in plain language.

NIST Special Publication 800-63B, the authoritative guidance on digital identity and authentication, recommends phishing-resistant MFA for any account with access to sensitive functions or communications. An official inbox that can reach thousands of journalists qualifies. Review the Train2Secure pricing page to see how security-awareness programmes scale across teams of any size.

The AFA says it is working to secure the compromised account and determine exactly how access was gained. The full scope of what was sent, and to whom, may not be known for some time. One thing is already clear: an account that represents a national football association at a World Cup should have had stronger gatekeeping long before the opening match.

How this could have been prevented

  • Enable multi-factor authentication on every institutional email account, especially shared inboxes used for high-profile communications.
  • Run regular phishing-simulation training so staff can recognise credential-harvesting attempts before they hand over login details.
  • Audit shared account access: assign clear ownership, rotate passwords on a set schedule, and review who can send on behalf of official addresses.

Train2Secure's security-awareness programmes cover phishing recognition, credential hygiene, and identity security in short, measurable modules built for busy teams.

Start free, no card required

Frequently asked questions

Was the AFA's email system fully compromised or just one account?

The AFA stated that one institutional email account was accessed without permission. The full scope of the intrusion, including how many accounts were affected, has not been confirmed publicly.

How can journalists or recipients tell if an email from a sports organisation is genuine?

Check the full sender address carefully, not just the display name. Do not click links in unsolicited messages. Contact the organisation through a verified phone number or website to confirm whether they sent a message. Treat any email asking for personal information or containing unusual claims with suspicion regardless of the apparent sender.

What is multi-factor authentication and would it have prevented this?

MFA requires a second proof of identity beyond a password, such as a one-time code sent to a phone. It does not guarantee protection, but it means a stolen password alone is insufficient to access an account. Many account takeover attacks fail at this step, making MFA one of the highest-return security controls available.

Who is believed to be behind the AFA email hack?

Sources close to the AFA told Argentine media that hackers of Egyptian origin were suspected. No individual or group has been formally named and no arrests have been reported as of the time of publication.

Ready to Reduce Your Human Cyber Risk?

Sign up and start training your team in minutes. No sales calls, no demos — just pick a plan and go. Phishing simulations, video courses, and certificates from day one.

train2secure analytics dashboard showing training completion stats and user progress