1,135 NFL Players’ Personal Information Stolen in NFLPA Breach
1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)

1,135 NFL Players’ Personal Information Stolen in NFLPA Breach

The NFLPA website was attacked and personal information for nearly 1,200 players was stolen.

An NFL Players Association Website suffered a breach sometime in February. The breach was disclosed by Bob Diachenko of Kromtech, who found a publicly accessibly database containing private information for both players and agents.

The NFLPA notified the agents of players affected on Monday. Potentially as many as 1,135 active players could be affected.

The vulnerability was found in an elastisearch database which resided on a server for NFLPA.com. Due to a misconfiguration, the data inside was accessible via a specific link.

NFLPA vulnerability
Image credit: Bob Diachenko

Unfortunately, the vulnerability had already been exploited when it was found, a hacker left a ransom note in February, demanding a fraction of a bitcoin, worth approximately 450 US dollars.

It’s unclear whether the ransom was paid. But the associated bitcoin wallet had no money in it.

Diachenko writes that the problem was fixed, though nobody from the NFLPA actually contacted him.

What was stolen in the NFLPA Breach?

In all, the hackers made off with a ton of very valuable personal information. Among the stolen data was:

  • Total log records amount: 573,368
  • Records from 2017 – “audit-orchard-prod” total -406,284 : creation date: 2017-02-03
  • Emails (agent + player) – 1,262 records
  • 75 @nflpa.com emails
  • Agents/managers IP addresses
  • Players physical address
  • Players mobile phone numbers
  • Designated Payee number codes
  • Advisor fee percentages
  • 68 Urls or pages within the domain
  • 22,974 Hashes (widely used in computer software for rapid data lookup)
  • 26,271 IP Addresses -related to signed-in users and login locations

The data is particularly useful given the fact that these men make a lot of money and this information could be used in an attempt to extort them.

This is bad news for Colin Kaepernick

One ramification of this breach is that player data for Colin Kaepernick was stolen.

Colin Kaepernick's NFLPA record
Image Credit: Bob Diachenko

Kaepernick is the controversial former-San Fransisco 49ers QB that knelt in protest for the national anthem last year. Since then he has been a polarizing figure, and has reportedly even received death threats from people.

Well, now, unfortunately, they could find out where he lives.

At the very least Kaepernick probably needs to change his number and email address. He may also want to add some extra security to his home.

What we Hashed Out (for Skimmers)

Here’s what we covered in today’s discussion:

  • The NFLPA was breached back in February
  • Information for over 1,200 people was compromised
  • The records included phone numbers and addresses
Be the first to comment

Leave a Reply

Your email address will not be published. We will only use your email address to respond to your comment and/or notify you of responses. Required fields are marked *

Captcha *


Patrick Nohe

Patrick started his career as a beat reporter and columnist for the Miami Herald before moving into the cybersecurity industry a few years ago. Patrick covers encryption, hashing, browser UI/UX and general cyber security in a way that’s relatable for everyone.