Fórmula 1 – Foto: Michael Potts F1 / Shutterstock.com
Hackers identified as Nagli and two collaborators accessed the International Automobile Federation (FIA) pilot categorization portal on Wednesday, October 22, 2025, in Geneva, Switzerland, exposing personal data of Formula 1 competitors. The incident revealed the passport and other documents of Max Verstappen, the current four-time champion, along with information from hundreds of registered pilots. The breach occurred due to a simple technical flaw in the system, allowing unauthorized administrative privilege escalation. The FIA confirmed the issue and implemented immediate fixes to mitigate further risks.
The hacker group described the access as a curiosity-driven test, executed in less than 10 minutes. They created a fake pilot account on the public site and requested a profile update, which exposed excessive server data. By exploiting a vulnerability known as “mass assignment,” the intruders altered codes to gain administrator status and view complete records.
- Affected pilots include Max Verstappen, Lando Norris, and Franco Colapinto from the platinum category.
- Exposed documents include passports, super licenses, and personal contacts.
- No files were downloaded or publicly disclosed by the hackers.
- The FIA notified data protection authorities and the involved competitors.
The organization stated that only the specific portal was compromised, with no impact on other digital platforms.
Always tough to predict the polesitter in Mexico 🤷#F1 #MexicoGP pic.twitter.com/TwTOco2R8S
— Formula 1 (@F1) October 23, 2025
Details of the technical flaw
The vulnerability emerged during the European summer when the system processed a profile edit request without proper filters. The server sent additional information beyond what was requested, enabling manipulations that escalated access. The hackers reported the issue to the FIA shortly after discovery, aiding in identifying weaknesses.
This flaw affects records of professional pilots across various categories, including Formula 1, IndyCar, and NASCAR. The FIA emphasized ongoing investments in cybersecurity, with data protection policies implemented from the design of new digital tools.
Measures taken by the FIA
The Federation activated emergency protocols to isolate the affected portal and restore access barriers. Technical teams reviewed activity logs to ensure no data was extracted in bulk. Regulatory authorities received formal reports, as required by data protection laws.
Pilots were individually alerted about the incident, with guidance to monitor personal accounts. The FIA strengthened encryption on sensitive fields and updated data entry validations.
- Internal audits were conducted across all related platforms.
- Additional developer training focuses on preventing similar flaws.
- Collaboration with external experts accelerates penetration testing.
The correction process prioritized the integrity of existing records.
Affected pilots in the F1 grid
Max Verstappen, from Red Bull, had his passport and super license viewed during the hacker test. Lando Norris, from McLaren, and Lance Stroll, from Aston Martin, were also on the accessed list. Franco Colapinto, a Williams rookie, had early career contacts exposed.
Former pilots like Jacques Villeneuve and Jenson Button had medical histories and hashed passwords compromised. The hacker group limited actions to verifications, avoiding copies that could worsen the leak. The FIA estimates around 200 records were potentially visible, with no evidence of malicious use.
Verstappen expressed concern in a brief statement, requesting regular updates on protections. F1 teams are monitoring the case for impacts on contract negotiations.
Nico Hulkenberg, from Haas, and Alex Palou, from another series, complete the notable affected names. The FIA is working to restore full trust in the system.
Context of the categorization portal
The FIA site serves as a mandatory repository for professional motorsport licenses, requiring document submission for annual super license issuance. Pilots upload histories, photos, and IDs for validation. Public access allows initial profile creation, but advanced edits require authentication.
This structure facilitates registrations but poses risks if validations fail, as seen in this case. The FIA is now reviewing approval flows to include additional multi-factor authentication layers. Similar incidents in motorsports highlight the need for alignment with global data standards, like GDPR, which imposes fines for negligence.
Hackers’ response and initial fixes
Nagli, the main investigator’s pseudonym, published technical details to illustrate the breach’s simplicity, with no commercial intent. The trio paused tests after accessing Verstappen’s data, prioritizing ethical notification to the FIA. Direct contact with the organization occurred hours after the exploit, providing exact codes for patches.
Fixes involved rewriting server routines to reject unauthorized commands. The FIA thanked the cooperation, turning the incident into a strengthening opportunity. Round-the-clock monitoring now tracks replication attempts.
