With the 2026 FIFA World Cup weeks away, new research from Specops, an Outpost24 company, has found that Lionel Messi outranks Cristiano Ronaldo in real-world breached password datasets — by around 26 per cent, with 1.22 million occurrences versus 923,000 across a corpus of more than 6.4 billion compromised credentials.
Football fandom as a security liability
The Specops Research Team’s analysis reveals that football names remain a persistent and exploitable weak point in enterprise password hygiene. Beyond the Messi-Ronaldo matchup, five of the top ten most-used player names in breached datasets are recently emerged stars — Vinicius, Saka, Gavi, Isak, and Pedri — alongside established names like Salah and Kane, suggesting that password choices track the cultural moment rather than reflecting entrenched legacy habits.
At the team level, Roma tops the table with 5.3 million occurrences — a figure the researchers note likely owes as much to the Italian city’s name as to the club — followed by Porto, Barcelona, Lyon, and Valencia.
The security risk is not simply that these passwords are common. Attackers use tools such as Hashcat and John the Ripper to run wordlists with applied mutations — adding year suffixes, swapping characters, or inserting symbols — making a password like Cr7ronaldo@? highly predictable once an attacker knows a user’s football allegiances from social media or phishing reconnaissance.
300 million new credentials added this month
The report coincides with Specops adding 300 million newly compromised passwords to its Breached Password Protection database this month, bringing the total monitored dataset to more than 6.1 billion entries. The company recommends organisations enforce policies that block not just known passwords but also predictable mutations — a gap that wordlist-based credential attacks are specifically designed to exploit.
