NFL Player’s Association Exposed Personal Data

NFL Player’s Association Exposed Personal Data of 1,133 Players & Agents Online. Evidence That Data Was Also Accessed by Cyber Criminals

Elasticsearch nodes and indices were visible on Shodan, a public IoT search engine:

Moreover, specific indices content are also viewable via browser, so anybody with Internet connection could have accessed the data (and, as ‘pleasereadthis’ index says, somebody with malicious intents has already seen it).

NFLPA (The National Football League Players Association) is the labor organization representing the professional American football players in the National Football League. This appears to be the first data leak of NFL player data and the most ironic part is that no hacking was involved and the data required no password or authentication.

The exposed log records show NFL Player information and their agent's information, such as emails, mobile phone numbers, home address of agents and players and IP addresses which were used to sign-in and access the dashboard.

In total, there were 1,133 players and agents personal details exposed.

Among other, the list includes some of the top names in the NFL including controversial former 49ers quarterback Colin Kaepernick. The seriousness of his data being leaked is that Kapernick has  told reporters that he has received multiple death threats since 2016 for protesting during the national anthem. He opted out of the final season of his contract with the 49ers to become a free agent and still remains unemployed after no NFL team picked him up for the 2017 season. His email, home address, and personal phone number were available in plain text.  

Evidence of Cyber Criminals Accessing the Data:  

In early 2017 A large number of Elasticsearch servers fell victim to ransomware attacks an estimated 4,600 of them have been compromised and many more were still left vulnerable. Researchers discovered a ransom note located in the database that instructed administrators pay a ransom using the cryptocurrency BitCoin or their data will be deleted. The “pleasereadthis please_read warning” was well documented and so was the solution to protect the data. The only thing programmers had to do was to enact the most basic security measures and not allow public access.

On Feb 3rd 2017, someone left a ransom message inside the NFL database.

{"pleasereadthis":{"aliases":{},"mappings":{},"settings":{"index":{"creation_date":"1486167641590","uuid":"KGijVP-WT4unr85SWlm-sw","notice":"SEND 0.1 BITCOIN TO THIS WALLET: 1EomYAqKiyrH4oRAV4AVHoMDGkn9MkFFxN IF YOU WANT RECOVER YOUR DATABASE! SEND TO THIS EMAIL YOUR SERVER IP AFTER SENDING THE BITCOINS IF PAYMENT IS NOT MADE WITHIN 120 HOURS WE WILL LEAK THE DATABASE TO PUBLIC. HOW TO BUY BITCOIN:","number_of_replicas":"1","number_of_shards":"5","version":{"created":"1050199"}}},"warmers":{}}}

Information about Bitcoin wallet from this message is listed below

We can see that no one had paid yet.

It is logical to believe that сriminals had access to this information and could have even targeted players or agents by using the credentials the database contained. The NFL and it’s players would be a prime target for scams or fraud because of the millions of dollars in contracts, fees, and salaries. According to Forbes NFL's 10 highest-paid players will bank a combined $296 million this season (2017).  With the data total number of 1,133 current and former players and agents it increases the chances of criminals being successful with any attempts of scams or fraud. The NFL has 32 clubs divided into two conferences of 16 teams in each (NFL - AFC) . Each team is allowed a maximum of 53 players on its roster. That would make 1,696 active players and researcher’s uncovering the data of 1,133 player is a substantial discovery.   

After we followed responsible disclosure procedure and sent notification emails to several nflpa-related domains, database has been secured, however, no word from the company.

The NFL Player’s Association Data Leak by the Numbers:

  • Total log records amount: 573,368

  • Records from 2017 - “audit-orchard-prod” total -406,284 : creation date: 2017-02-03

  • Emails (agent + player) - 1,262 records

  • 75 emails

  • Agents/managers IP addresses

  • Players physical address

  • Players mobile phone numbers

  • Designated Payee number codes

  • Advisor fee percentages

  • 68 Urls or pages within the domain

  • 22,974 Hashes (widely used in computer software for rapid data lookup)

  • 26,271 IP Addresses -related to signed-in users and login locations


Attention - Portions of this article may be used for publication if properly referenced and credit is given to Kromtech Security Center.

Do you have security tips or suggestions? Contact:

You may also like

How long does it take for a MongoDB to be compromised Walmart jewelry partner exposed 1.3 million customer details FedEx Customer Records Exposed