A misconfigured database containing records belonging to 1,133 National Football League players and their agents was exposed via an unsecured Elasticsearch server. The database belongs to the NFL Players Association and includes the home address, phone numbers and IP addresses for hundreds of current and former players.
Kromtech Security Center, which made the discovery on Sept. 26, said the database had been breached by an adversary who left behind a “pleasereadthis” file that demanded 0.1 bitcoin ($440) or the database would be made “public” within 120 hours. The ransom was never paid and the NFL Players Association has since secured the data, according to Kromtech.
A NFL Players Association spokesperson declined to comment.
“Specific indices content (was) also viewable via a browser, so anybody with an Internet connection could have accessed the data (and, as ‘pleasereadthis’ index says, somebody with malicious intent has already seen it),” wrote Bob Diachenko, chief communication officer for Kromtech.
The database incident is just the latest in a long string of misconfigured databases found recently leaking data. Earlier this year security researchers Victor Gevers said 28,000 MongoDB and Elasticsearch installations were hacked in a wave of attacks against unprotected open source data management platforms. In most of the cases, attackers were taking advantage of default installations of Elasticsearch where either no credentials or easy-to-guess credentials allow for simple attacks.
In the case of the NFL Players Association it was a misconfigured Elasticsearch database hosted on a properly configured Amazon S3 server.
“The exposed log records show NFL player information and their agent’s information, such as emails, mobile phone numbers, home address of agents and players and IP addresses which were used to sign-in and access the dashboard,” according to Kromtech.
Among the list of top names in the NFL that had personal identifiable data exposed is former 49ers quarterback Colin Kaepernick. “The seriousness of his data being leaked is that Kapernick has told reporters that he has received multiple death threats since 2016 for protesting during the national anthem,” Diachenko said.
In related research, in May security expert Jordan Wright observed an increase in hackers targeting Elastisearch instances. He noted that attackers were exploiting code against a remote code execution vulnerability discovered earlier this year in Elasticsearch server software. The attackers were using the vulnerability (CVE-2015-1427) to automatically download and run malware on vulnerable Elasticsearch servers.
The vulnerability was patched in February, but attackers are still finding vulnerable Elastisearch instances. Researchers believe the National Football League’s database is just one of 4,600 unsecure Elasticsearch instances where criminals attempt to extort money in exchange for keeping data safe and private.
In the case of the NFL Players Association, it’s believed the exposed data was a deployment and operations issue and not tied to the security of the platform.
Diachenko said the the key factor to address the database security is via a combination of automatic protection systems and “never ending internal educational initiatives aimed at raising awareness” of the dangers of leaky data and how to protect against it.
Too often databases that have been attacked simply don’t take advantage of encryption, authentication, access control and user enroll-based rights to data, say experts.