Past breach data show over 1.1 million soccer-related passwordsExpressVPN found that nearly 1 in 4 football fans use this info in their loginsExperts urge to delete any sports references from account logins' detailsAs the FIFA World Cup kicks into high gear, millions of fans are displaying their loyalty online. While you might already be using the best VPN to secure your browsing, ExpressVPN — now an official supporter of the 2026 tournament — is warning that this very public fandom can translate into a major cybersecurity vulnerability.In a new research report, cybersecurity researcher Jeremiah Fowler partnered with ExpressVPN to examine how soccer obsession influences our password choices. The results suggest that fans are openly handing hackers the keys to their digital lives by using highly predictable phrases.Fowler's analysis of historical data breaches revealed more than 1.1 million soccer-related passwords. Words like "soccer," alongside massive club names such as "Liverpool," "Chelsea," "Arsenal," and "Barcelona," appeared repeatedly throughout the dataset. Because fan loyalty is incredibly public, plastered across social media profiles, usernames, and group chats, these passwords are far easier to crack than a random string of characters."As a cybersecurity researcher, I've seen criminals target people through the interests they share most openly," Fowler explained. "A club name, player nickname, shirt number, stadium, city, or tournament year may look harmless on its own, but together those details can help someone guess how a fan might build a password or craft a message they're more likely to trust."An open goal for cybercriminals(Image credit: ExpressVPN)To determine if this behavior remains common today, ExpressVPN surveyed 6,000 football fans across six countries. The findings confirm that bad password hygiene is still widespread. Nearly one in four surveyed fans admitted to having used soccer-related information to secure an account. Among these fans, the most common choices included their favorite team names, player names or nicknames, and jersey numbers. These easily searchable statistics are exactly what malicious actors look for when compiling custom dictionaries to breach an account.The fans themselves are surprisingly aware of the risk. In the US, a massive 73.1% of those using soccer-themed passwords acknowledged that someone familiar with their sporting interests could likely guess their login. This vulnerability is compounded by the fact that many fans are already putting their digital privacy at risk through other careless online behaviors during the tournament.How to protect your accountsUsing a weak password becomes catastrophic when you consider password reuse. According to Aaron Engel, Chief Information Security Officer at ExpressVPN, the habit of using the same login across multiple services is what turns a minor breach into a full-scale privacy crisis."Password reuse is what allows one exposed credential to become a wider account-security problem," warned Engel. He also noted that fans who share streaming logins put their personal data in further jeopardy: "Sharing passwords increases the number of people and devices that may hold that password; in doing so, users are putting their security into the hands of others. Multi-factor authentication doesn't undo reuse, but it can prevent a stolen password from being enough on its own."If you want to stay safe while streaming the tournament, you should immediately strip any sports references out of your logins. Instead, use a dedicated password manager to generate complex, unique credentials for every account.It is also a great time to ensure your overall connection is encrypted, particularly if you are wondering whether to use a VPN to watch the World Cup. Just keep in mind that new ExpressVPN users still have a chance to win a premium ticket for the World Cup, but you won't get its usual 30-day money-back guarantee.