NFL players may not mind having their views on social issues known, but they are probably not happy that a publicly accessible database has been found containing private information on about 1,100 players and their agents.
Kromtech Security Center researchers found on September 26 a misconfigured Elasticsearch database containing data collected from an Orchard Audit module, a free content management system, that tracked activity on several NFL related domains. This information was then sent back to Elasticsearch for analysis. Elasticsearch is anopen source RESTful search and analytics engine.
About 387MB of information on 1,133 players containing 573,368 records was exposed, Kromtech reported. Some of the information included agent and player email addresses, email addresses from the NFL Players Association, agent and manger IP addresses, player’s house address and mobile phone numbers.
“Moreover, specific indices content are also viewable via browser, so anybody with Internet connection could have accessed the data (and, as ‘pleasereadthis’ index says, somebody with malicious intents has already seen it),” Kromtech noted.
Kromtech noted that this is not the first time Elasticsearch databases have been found publicly available. Researchers estimated about 4,600 of these databases have been compromised and in at least one case accessed by a malicious actor when a ransom note was found in one of the files, not associated with the NFL.
The NFL has not yet responded to an SC Media request for further information.