Cyber Incident Victim: National Football League

On June 7, 2016, unauthorized individuals gained control of the National Football League’s official Twitter account (@NFL). The attackers used the compromised account to publish a false announcement claiming NFL Commissioner Roger Goodell had died. During the breach, the @NFL account followed a single new Twitter profile, @IDissEverything, which was subsequently suspended by Twitter. The attackers or associates linked to the suspended account publicly disclosed the NFL account’s password as “olsen3culvercam88.” A report from The Daily Dot indicated credentials were obtained by accessing the email account of an NFL social media staffer, where the Twitter login details were stored in a message. The exact method of email compromise remained unconfirmed. The unauthorized access was terminated quickly, limiting the duration of the account takeover but not before the false death report circulated publicly.

This incident occurred amid a series of high-profile Twitter breaches during the same period, including compromises affecting Facebook CEO Mark Zuckerberg and celebrities such as Katy Perry and Kylie Jenner. Zuckerberg’s breach stemmed from password reuse across platforms, with his LinkedIn credentials exposed in a 2012 breach. The NFL breach echoed tactics used by groups like the Syrian Electronic Army, which hijacked major news organization accounts between 2012 and 2013 to spread false information, including a fabricated AP tweet about a White House explosion. Twitter’s two-factor authentication, requiring a linked smartphone or phone number, was noted as an available security measure that could mitigate such takeovers. The NFL did not publicly confirm whether additional security measures were implemented post-breach. No operational disruptions to league systems beyond the social media account were reported, and the organization regained control of the account without further disclosed incidents.