1,135 NFL Players’ Personal Information Stolen in NFLPA Breach
The NFLPA website was attacked and personal information for nearly 1,200 players was stolen.
An NFL Players Association Website suffered a breach sometime in February. The breach was disclosed by Bob Diachenko of Kromtech, who found a publicly accessibly database containing private information for both players and agents.
The NFLPA notified the agents of players affected on Monday. Potentially as many as 1,135 active players could be affected.
The vulnerability was found in an elastisearch database which resided on a server for NFLPA.com. Due to a misconfiguration, the data inside was accessible via a specific link.
Unfortunately, the vulnerability had already been exploited when it was found, a hacker left a ransom note in February, demanding a fraction of a bitcoin, worth approximately 450 US dollars.
It’s unclear whether the ransom was paid. But the associated bitcoin wallet had no money in it.
Diachenko writes that the problem was fixed, though nobody from the NFLPA actually contacted him.
What was stolen in the NFLPA Breach?
In all, the hackers made off with a ton of very valuable personal information. Among the stolen data was:
- Total log records amount: 573,368
- Records from 2017 – “audit-orchard-prod” total -406,284 : creation date: 2017-02-03
- Emails (agent + player) – 1,262 records
- 75 @nflpa.com emails
- Agents/managers IP addresses
- Players physical address
- Players mobile phone numbers
- Designated Payee number codes
- Advisor fee percentages
- 68 Urls or pages within the domain
- 22,974 Hashes (widely used in computer software for rapid data lookup)
- 26,271 IP Addresses -related to signed-in users and login locations
The data is particularly useful given the fact that these men make a lot of money and this information could be used in an attempt to extort them.
This is bad news for Colin Kaepernick
One ramification of this breach is that player data for Colin Kaepernick was stolen.
Kaepernick is the controversial former-San Fransisco 49ers QB that knelt in protest for the national anthem last year. Since then he has been a polarizing figure, and has reportedly even received death threats from people.
Well, now, unfortunately, they could find out where he lives.
At the very least Kaepernick probably needs to change his number and email address. He may also want to add some extra security to his home.
What we Hashed Out (for Skimmers)
Here’s what we covered in today’s discussion:
- The NFLPA was breached back in February
- Information for over 1,200 people was compromised
- The records included phone numbers and addresses
5 Ways to Determine if a Website is Fake, Fraudulent, or a Scam – 2018
in Hashing Out Cyber SecurityHow to Fix ‘ERR_SSL_PROTOCOL_ERROR’ on Google Chrome
in Everything EncryptionRe-Hashed: How to Fix SSL Connection Errors on Android Phones
in Everything EncryptionCloud Security: 5 Serious Emerging Cloud Computing Threats to Avoid
in ssl certificatesThis is what happens when your SSL certificate expires
in Everything EncryptionRe-Hashed: Troubleshoot Firefox’s “Performing TLS Handshake” Message
in Hashing Out Cyber SecurityReport it Right: AMCA got hacked – Not Quest and LabCorp
in Hashing Out Cyber SecurityRe-Hashed: How to clear HSTS settings in Chrome and Firefox
in Everything EncryptionRe-Hashed: The Difference Between SHA-1, SHA-2 and SHA-256 Hash Algorithms
in Everything EncryptionThe Difference Between Root Certificates and Intermediate Certificates
in Everything EncryptionThe difference between Encryption, Hashing and Salting
in Everything EncryptionRe-Hashed: How To Disable Firefox Insecure Password Warnings
in Hashing Out Cyber SecurityCipher Suites: Ciphers, Algorithms and Negotiating Security Settings
in Everything EncryptionThe Ultimate Hacker Movies List for December 2020
in Hashing Out Cyber Security Monthly DigestAnatomy of a Scam: Work from home for Amazon
in Hashing Out Cyber SecurityThe Top 9 Cyber Security Threats That Will Ruin Your Day
in Hashing Out Cyber SecurityHow strong is 256-bit Encryption?
in Everything EncryptionRe-Hashed: How to Trust Manually Installed Root Certificates in iOS 10.3
in Everything EncryptionHow to View SSL Certificate Details in Chrome 56
in Industry LowdownPayPal Phishing Certificates Far More Prevalent Than Previously Thought
in Industry Lowdown