Cyber Incident Victim: Fantasy Football Hub
Date:
Oct 2021
Location:
United Kingdom
Summary
Fantasy Football Hub experienced a cybersecurity incident where an attacker compromised its WordPress administrator dashboard, accessing usernames, email addresses, site financial reports, and affiliate payment records. While payment details handled by external gateways remained secure, some hashed user passwords were brute-forced and exposed. The organization responded by resetting all user passwords, enforcing stricter password complexity requirements, upgrading password hashing protocols, enabling two-factor authentication for administrators, and initiating plans to extend this security feature to all users. They also conducted malware scans and arranged ongoing external security testing, though the total number of affected individuals was not disclosed. The company publicly apologized for the breach and collaborated with law enforcement and regulatory agencies during the investigation.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On October 2, 2021, Fantasy Football Hub, a Premier League fantasy football analytics startup, experienced a cybersecurity breach when an attacker compromised its WordPress administrator dashboard. The unauthorized access enabled the hacker to download user data including usernames, email addresses, site financial reports, and affiliate payment records. The company detected the intrusion that same evening and initiated a coordinated response involving Action Fraud (the UK’s national fraud reporting service), law enforcement, the Information Commissioner’s Office (ICO), their hosting provider, and external security firms. Fantasy Football Hub publicly disclosed the incident via a blog post, urging users to assume all non-payment information provided during sign-up was compromised pending a forensic investigation. The breach did not expose bank details, as payment processing was handled externally by PayPal and Stripe. However, the attacker successfully brute-forced some hashed user passwords stored within WordPress, leading to confirmed credential compromises.
The breach prompted immediate containment measures, including a forced reset of all user passwords and the implementation of a stricter password complexity policy to deter future brute-force attacks. Fantasy Football Hub conducted malware scans on its systems, scheduled recurring external security audits and penetration tests, and upgraded its password hashing protocols to enhance cryptographic protection. Administrative accounts were secured with two-factor authentication (2FA), with plans to extend this safeguard to all users. In public communications, the company expressed regret for the incident, acknowledging user frustration while emphasizing transparency in its remediation efforts. The organization did not specify the number of affected accounts but confirmed the compromise extended to operational documents like financial reports and affiliate payment records alongside user credentials. No evidence suggested prolonged attacker persistence within the environment beyond the confirmed data exfiltration.