Fantasy Premier League blames password hygiene as teams vanish

Bad password hygiene may be a culprit...

The official Fantasy Premier League (FPL)  -- the most popular Fantasy Football game in the world with over seven million users last season -- says there is "no indication or evidence of a security breach" after scores of players reported that their team had been completely deleted, or tampered with.

Players around the world received an email this morning that hinted the mystery deletions -- reported to include #1 ranked manager -- could be linked to FPL managers sharing their login credentials with third-party websites or applications. Doing this, the FPL noted, "puts the security of your FPL team at risk."

The FPL also blamed poor password hygiene. It offers multi-factor authentication (MFA) as an option but does not mandate it for users. (Users check if their password has been exposed in a previous data breach here.)

Fantasy Premier League passwords: QWERTY won't do.

"We have never condoned or endorsed the use of third-party websites or applications to aid FPL team management" the FPL said, adding: "In addition, we recommend that FPL managers practise good password hygiene by using a strong password that would be hard to guess, creating a unique password for FPL that isn’t used elsewhere, and updating the password regularly."

The statement did little to placate those affected, with players taking to social forums to urge FPL to find a way to roll back the malicious changes. (It was not immediately clear how many victims there were.) Others, meanwhile, were less sympathetic...)

As one user commented: "I think at least you could restore the affected accounts to their original owners. Then maybe focus can be turned to these 3rd party apps and try and establish which one/s are leaking data somehow. Maybe you could assist with that as it’s your game that’s being compromised here."

Password security remains a huge issue, including at the enterprise level.

Out of 100,000 passwords shared by the National Cyber Security Centre (NCSC) in 2019, the top 10 were:

  1. 123456
  2. 123456789
  3. qwerty
  4. password
  5. 111111
  6. 12345678
  7. abc123
  8. 1234567
  9. password1
  10. 12345

Football team names are also commonly used as passwords.

Setting up MFA is a hugely effective step against attacks that target the widespread low-hanging fruit of "admin/password"-type login credentials. Making it mandatory, as many an IT admin at both large and small organisations will know, is not always an easy process despite it being a "common sense" security requirement.

Attacks targeting weak passwords meanwhile continue to be effective even for state-level attackers, not just Fantasy Premier League wreckers. The NCSC in July 2021 pointed to ongoing "widespread, distributed, and anonymized brute force access attempts against hundreds of government and private sector targets worldwide" that it blamed on the Russian General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS).

The GRU got a little avante garde with that attack, powering it with Kubernetes clusters.

See also Russia’s GRU powers global brute-force campaign on K8s