A spate of account takeover hacks has prompted the English Premier League to promise to introduce two-factor authentication (2FA) controls to its official Fantasy Premier League game (FPL) from next season. FPL has more than eight million players, who sign up with a standard email address and password, although 2FA is not offered as an option.
A wave of hacks this season has seen attackers seemingly targeting successful teams ranked in the top 100,000. The precise number of account takeover attempts is unclear, but many people are claiming to have been affected, and the problem is far from isolated. In some cases, accounts have been deleted and many victims have struggled or failed to get back lost fantasy football league points.
The FPL game is free to enter and the chances of winning a prize, such as a trip to see a football game or Premier League merchandise, is slim to none. Nonetheless, many FPL participants devote considerable time in researching and selecting their team over a period of months, in an effort to outscore and outrank their friends and colleagues in the many private leagues that are a feature of the game. The game has also spawned a vibrant community of YouTube channels, discussion, and (several subscription-based) team aid selection websites.
The hackers have been making many transfers, resulting in deductions of points to compromised accounts and a severe ranking slide that can easily ruin a player’s season. The as-yet-unidentified miscreants have also been changing the names of victims’ teams.
The motive of the attackers (sabotaging rivals, sheer devilment, or something else) much less their identity remains unclear.
The Premier League has reacted to the escalating prevalence of hacks over recent weeks on its official Twitter account, advising users to frequently change or update their password on a regular basis – a practice that has drawn scorn from password security experts.
“Updating passwords on a regular basis is old and bad advice… you [should] use long and unique passwords for each service… coupled with 2FA,” Per Thorsheim, security expert and founder of the PasswordsCon conference, told The Daily Swig.
Finding a way forward
Escalating incidents of accounts takeovers over recent weeks has brought the issue to the boil.
Last week the Premier League implemented a rule change, disallowing managers from making more than 20 transfers in a single game week, except in cases where unlimited transfers can be made without penalty (e.g. when the once-a-season Free-Hit chip is played).
The move from the Premier League to tweak the rules of the game than introduce 2FA sparked anger from the community and, under the weight of fan pressure, the Premier League relented on Tuesday (January 25) by promising to introduce 2FA – albeit, only from next season onwards.
“We will continue to take steps to protect account security and we are committed to the introduction of two-factor authentication for the 2022/23 season,” the Premier League said through its official Twitter account.
In an associated blog post on the Premier League website, game organizers blamed the spate of account takeovers on breaches to third party websites – further evidence in support of the credential stuffing theory – without naming particular suspects:
“A number of Fantasy Premier League managers have had their squad compromised in some way during the last week. We are sorry their season has been impacted in this way and the frustration it has caused. There is no indication or evidence of a security breach on the accounts of these FPL managers via fantasy.premierleague.com or the Premier League mobile app. Unfortunately, those FPL managers affected had used the same email address and password combination on other third-party websites or applications that have been involved in security breaches in the past. These breaches are not limited to websites or applications that provide FPL-related information or services. We would like to take this opportunity to remind all FPL managers that using the same email address and password combination on other sites puts the security of your FPL team at risk.”
Above is the report written by Jonny Pringle, software developer at PortSwigger.
Source; https://twitter.com/OfficialFPL/status/1484551511417970695
https://www.premierleague.com/news/2462999
https://twitter.com/OfficialFPL/status/1484551515415187460
https://portswigger.net/daily-swig/fantasy-premier-league-account-hack-surge-prompts-plans-to-introduce-extra-login-checks-for-football-fans
https://www.reddit.com/r/FantasyPL/search/?q=hack
Thank you for such an informative blog, I want to add that Football Association (FA) – offered a statement blaming incidents of account takeover on users sharing login details with unnamed third-party websites.
Interesting post. Even though I do not play Fantasy league, I do have heard about the game a lot. It is good to hear that they are finally bringing 2FA to the game. However, this is something that should have been introduced a very long time ago. Still it is great to see games being provided with top level security.
Hi, this was a cool topic to read about! As a person who once got my xbox account hacked, I really think all game industries should introduce two-factor authentication to the account securities! As well to remind the players to change their passwords every once in a while, because its better to be safe than getting hacked and regretting!
Cool post! I haven’t played FPL, but I have played basketball fantasy, and people hacking fantasy managers is shocking. It seems like such a minuscule thing that people are usually playing with friends. Even though I understand it could get competitive at time, hacking someone just doesn’t make sense. It’s be interesting to see if stronger 2FA gets implemented in other fantasy sports.
This was an interesting post to read.
It is surprising to see that a game with around 8 million users didn’t have 2FA yet. But its good to see that the company is finally taking steps to improve the security of its users. In my opinions, all other similar game companies must introduce security measures such as 2FA to prevent their users’ accounts from getting compromised.
Hey Great post! I found it surprising that such a platform does not have 2FA. Considering the number of users that are active on the app, I would imagine that the owner would take time to ensure the protection of its users. Nonetheless, you learn from your mistakes and try to improve to prevent any future occurrence. However, I do have a question for you. Do you think 2FA and the features implemented with the new update are sufficient to protect the users? Could they make use of some other new technology or method to get a step ahead of attackers?
I have recently started playing Fantasy football league and after reading your post, I can understand how not having a 2FA can lead to many problems for the authentic players trying to enjoy and compete with one another. It is very disheartening to see that players earn their points over years and then someone just hacks your account and transfer your points even shockingly deletes your account. I even read an article that mentioned that it was users fault as they shared their login details. Now that they are introducing their 2FA, the amount of accounts hacked would decrease but will it stop? I don’t think so. I guess it is high time, we develop new methods of protection.
Thank you for an interesting post!
I am a big fan of the English Premier League and have also played FPL for almost 10 years. So, I know we spend a lot of time every week analyzing in order to make the right transfer. It will be terrible if someone can access your account, take many hits, then ruin your whole season. When I’ve heard about that news, I changed my password immediately. I’m glad that they will use 2FA for the next season and I hope there will be no more hacking in the future.
Interesting post! This also drives home the point on why you should not repeat passwords on multiple websites, because with this, now that the attacker has your fantasy league password, maybe for now they are just making transfers on your fantasy team, but they could then use the password on your bank account, or something more important than fantasy league, and then the user is compromised if they repeat passwords.