The NFLPA website was attacked and personal information for nearly 1,200 players was stolen.
An NFL Players Association Website suffered a breach sometime in February. The breach was disclosed by Bob Diachenko of Kromtech, who found a publicly accessibly database containing private information for both players and agents.
The NFLPA notified the agents of players affected on Monday. Potentially as many as 1,135 active players could be affected.
The vulnerability was found in an elastisearch database which resided on a server for NFLPA.com. Due to a misconfiguration, the data inside was accessible via a specific link.
Unfortunately, the vulnerability had already been exploited when it was found, a hacker left a ransom note in February, demanding a fraction of a bitcoin, worth approximately 450 US dollars.
It’s unclear whether the ransom was paid. But the associated bitcoin wallet had no money in it.
Diachenko writes that the problem was fixed, though nobody from the NFLPA actually contacted him.
What was stolen in the NFLPA Breach?
In all, the hackers made off with a ton of very valuable personal information. Among the stolen data was:
- Total log records amount: 573,368
- Records from 2017 – “audit-orchard-prod” total -406,284 : creation date: 2017-02-03
- Emails (agent + player) – 1,262 records
- 75 @nflpa.com emails
- Agents/managers IP addresses
- Players physical address
- Players mobile phone numbers
- Designated Payee number codes
- Advisor fee percentages
- 68 Urls or pages within the domain
- 22,974 Hashes (widely used in computer software for rapid data lookup)
- 26,271 IP Addresses -related to signed-in users and login locations
The data is particularly useful given the fact that these men make a lot of money and this information could be used in an attempt to extort them.
This is bad news for Colin Kaepernick
One ramification of this breach is that player data for Colin Kaepernick was stolen.
Kaepernick is the controversial former-San Fransisco 49ers QB that knelt in protest for the national anthem last year. Since then he has been a polarizing figure, and has reportedly even received death threats from people.
Well, now, unfortunately, they could find out where he lives.
At the very least Kaepernick probably needs to change his number and email address. He may also want to add some extra security to his home.
What we Hashed Out (for Skimmers)
Here’s what we covered in today’s discussion:
- The NFLPA was breached back in February
- Information for over 1,200 people was compromised
- The records included phone numbers and addresses