A series of account takeover hacks has prompted the EPL to promise to introduce two-factor auth controls to its official Fantasy Premier League game (FPL) from next season.
It has more than 8 million player accounts, a wave of hacks this season has seen attackers seemingly targeting successful teams ranked in the top 100,000.The number of account takeover attempts is unclear, but simply searching for the term ‘hack’ on Fantasy PL Reddit shows many people are claiming to have been affected, and the problem is far from isolated. In many cases accounts have been deleted and difficult to reclaim the points that gained
The hackers have been making many transfers, resulting in deductions of points to compromised accounts and a severe ranking slide that can easily ruin a player’s season. The unidentified miscreants have also been changing the names of victims’ teams.
The Premier League has reacted to the escalating prevalence of hacks over recent weeks on its official Twitter account, advising users to frequently change or update their password on a regular basis a practice that has drawn scorn from password security experts.
Earlier in this season, the Premier League which is run under the auspices of the Football Association offered a statement blaming incidents of account takeover on users sharing login details with unnamed third-party websites.
FPL players often use third-party websites or applications to aid team management. Many are assumed to be using the same login credentials across multiple sites, leaving them wide open to credential stuffing attacks if any site they have visited suffers a breach.
Escalating incidents of accounts takeovers over recent weeks has brought the issue to the boil. Last week the Premier League implemented a rule change, disallowing managers from making more than 20 transfers in a single game week, except in cases where unlimited transfers can be made without penalty.
The move from the Premier League to tweak the rules of the game than introduce 2FA sparked anger from the community and, under the weight of fan pressure, the Premier League relented by promising to introduce 2FA only from next season onwards.