Are you using the name of your favorite team as a password? Well, it’s high time that you change it.

A recent study found that passwords of millions of American sports fans are at high risk of being hacked, as they use names of different sports teams. Passwords related to the New York Yankees are the highest among MLB teams, as five other clubs also appear in the list of the top 25 teams with the most breaches.

The New York Post reported that a Duelbits study used compromised password data to analyze the number of exposed passwords related to variations of 124 teams from the MLB, NBA, NFL, and NHL.

“An astonishing 42,260,852 passwords linked to sports teams have been compromised in data breaches, and Yankees and Rangers fans were some of the most compromised,” noted Brooke Steinberg of the NY Post.

The study found that the Yankees fans come second overall among the compromised data, with 1,228,703 passwords already exposed. Duelbits researchers used commonly used passwords like “newyorkyankees,” “newyorkyankees1” and “yankees, with variations in capital letters and numbers, per the Post.

The New York Mets reportedly came 20 in the list with 650,911 breaches, alongside multiple New York teams across different sports. Right after the Yankees, the NHL’s New York Rangers fans are next on the list, with 1,100,572 passwords breached. The vulnerability extends across the NFL’s Giants and Jets, and the NBA’s Knicks, rounding out the list of compromised fanbases.

According to the NY Post, fans of six out of ten New York sports teams are among the fans of the top 20 teams with the most vulnerable passwords.

Aside from New York, MLB fans of Los Angeles are not safe either. With a number as high as 910,707 breaches, the Angels fans rank sixth. Hackers have not spared Boston Red Sox fans either, as they come ninth with 870,537 breaches.

The recent study shows that MLB fans come third with an average of 335,251 hacks per team, preceded by the NBA (343,985) and the NFL (379,447) at the top.

MLB fans should act as soon as possible if they don’t want a repetition of the ticket thefts they faced in 2025 with MLB’s Ballpark app. Various fans reportedly saw their digital tickets disappear abruptly from their accounts, as scammers used passwords leaked from data breaches on other platforms.

Cybersecurity expert James Bore also spoke against using team names as passwords.

Cybersecurity expert issues warning about breaches

As shown by the Duelbits study, using the name of one’s favorite sports team as a password is not as uncommon as one thinks. And with so many people using variations of the same team’s name, the risk becomes higher. It allows hackers to access those accounts easily.

“Using a sports team or place as a password is risky because it’s about predictability; the more commonly used, the easier a password is to guess at scale,” James Bore told Duelbits, per the NY Post. “If I use the password ‘newyork,’ it’s likely to be used by a lot more people than just me, meaning when password breaches show up, it’ll be in the common list, and attackers will try it.

According to Bore, the more famous a sports team, the more likely hackers are to access a password using its name. The popularity is directly proportional to its predictability.

However, it is difficult to remember multiple passwords made up of random numbers and letters. Bore also acknowledges the challenge. But, he advises in favor of using random words to avoid predictability.

Passwords have become a part of everyday life, and a breach can risk information that hampers multiple aspects of our lives. Hence, it’s better to secure them before it’s too late.