Hanging up the boots

[wizardoffire]

I think Im done.
Long story short, my account was hacked in the last week along with many other people.

Yes, Ive been a bit inactive the last month. Missed a lot of deadlines due to studying for professional exams and COVID cancellations has kinda ruined my season. Still salvageable with all the games to be made up. As of game week 22, I was still in the top 50k and a nice overall team value of 104.4 mill and 1404 points.

Fast forward a game week 990 transfers made at a cost of 3952 points leaves me on a whopping -2527 points and a position of 8.9 mill!!! My overall team value has lost 2.3 million in value and my bench boost was also activated.

Based on what Ive read on twitter, FPL towers don't seem to be doing anything. Next season they plan to introduce two factor security, game needs it now! My password was complex and I dont use third party apps for FPL, never have, never will.

Ill keep this updated, if I hear anything from FPL but Im not expecting anything to be fixed in terms of my team being reinstated. Im sorry to the side leagues that Im in that have been essentially ruined

[TheRumourMill]

Thats absolutely dreadful, sorry to hear that. Agree that 2fa was needed earlier, they got a warning when a load of hackings occurred in October (including of this very site!), and nothing was done. That was linked to Hub's rubbish security though so its alarming to hear you have been affected despite using no third party apps. They seem to be using scripts to do it which is beyond my level of computer understanding but it seems to be successful at disrupting large numbers of people unfortunately. Apologies again.

[RomynPG]

Well that's a real bummer - so sorry that that has happened to you

Like TRM I'd also be interested in how this hacker is doing what they're doing - get a common denominator if it isn't 3rd party apps. Do you mind people asking questions or are you, understandably, too fed up to go into it any more?

[wahine]

aw no matter where your rank is at a particular time, a Bruno Captain one week can turn it all around.

Hope they can do something for you?

The glass is always full, would you like to play the last season league in Fiso Draft divisionals, I will give you a shout when time comes.

[Oxford NZ]

You will be ok in the divisional champs as I can edit the data manually.

[Smurphy Paw]

Sorry to see this. Really frustrating. Fingers crossed that FPL Towers undo the damage done to you and others

[Aldershot Rejects]

That sucks. I wonder how many people have to be hacked before FPL take this seriously.
Hope FPL do something, but like you I won't be holding my breath.

[murf]

I thought the 'hack' was just them using passwords stolen in breaches on other sites. Is it worse than that?

[Ruth_NZ]

Bloody pain in the ass. Honestly don't understand what satisfaction anyone gets from ruining the innocent hobby of a random person that they don't know.

[Neath boy]

What a bummer!

Anyone have any idea how they hack with a complex password and non use of third party sites?

[hayesag]

What a bummer!

Anyone have any idea how they hack with a complex password and non use of third party sites?

fantasy football hub i believe is where it all started That site coupled with using the same password on other sites. People were warned to change all linked passwords as soon as it all kicked off. So if you didnt take note of the advice given then im sorry but u should yourself ask the question why didnt you?

anything beyond that your guess is as good as mine.

[ajcairns]

Sorry to hear that's happened to you wizard. I'd be interested to hear how the password was made complex as it's clearly been brute forced if you hadn't used it on a third party. Could be useful intel for FPL Towers (if they were interested).

[Bob Newhart]

Honestly don't understand what satisfaction anyone gets from ruining the innocent hobby of a random person that they don't know.

[Neath boy]

What a bummer!

Anyone have any idea how they hack with a complex password and non use of third party sites?

fantasy football hub i believe is where it all started That site coupled with using the same password on other sites. People were warned to change all linked passwords as soon as it all kicked off. So if you didnt take note of the advice given then im sorry but u should yourself ask the question why didnt you?

anything beyond that your guess is as good as mine.

He said he never uses third party sites such as FFH.

[Magic]

Honestly don't understand what satisfaction anyone gets from ruining the innocent hobby of a random person that they don't know.

Exactly. It was a dumb question to be honest. Obviously they did it just for the hell of it because they could.

[Multiple Scorgasms]

They still haven't sorted it, Brothers account hacked and nane changed to Ben Crillen.

Seems anyone can be a target, not just top 100k etc

Sent from my SM-A515F using Tapatalk

[Multiple Scorgasms]

They activated BB so he can't even WC put of the hits.

Sent from my SM-A515F using Tapatalk

[Malrom]

FISO is probably a small community compared to the 9'00'000 players, but maybe an email from Admin could wake them up to do something!

Just a suggestion and not sure if it would make a difference!

[wizardoffire]

Sorry for the late reply... real life has somewhat taken a priority.

They did finally reply. Not a very encouraging message.

Dear Fantasy user,

Thank you for getting in touch. We’re sorry to hear this has happened to your FPL team.

We believe what has happened is that you’ve used the same email address and password combination on another online account which at some point in the past has been involved in a data breach, leaving your FPL account exposed. We published this article related to this issue - https://www.premierleague.com/news/2462999

To secure your account, it’s important you now change the password to a strong and unique one which you don’t use on any other websites or apps. You can do this by logging into your account or by using the ‘Forgot your password?’ link on the login page.

We frequently receive requests from FPL managers for a variety of reasons to reinstate transfer points and chips played. In fairness to all managers and to apply consistency across the game, we’re unable to grant these requests with very few exceptions.

We understand this is disappointing but hope you’re able to continue playing FPL and enjoy the remainder of the season as best you can.

Kind regards,
Fantasy Premier League Support

Email suggests they are washing their hands of the matter. Little digging shows the account used was involved in a data breach that I was not aware of

I sent them a response back so will see what happens. In particular calling out the very few exceptions. I mean this isn't someone getting drunk mass transferring their team and then triple captaining a player and then contacting them saying I meant to make these changes and actually my triple captain was meant to be this player who just happened to score a hat trick.
There are thousands of accounts out there all in the same boat and they just dont seem interested in putting in the effort to resolve these accounts.

The audacity to suggest that they hope I continue playing FPL and enjoy the remainder of the season as best I can is a JOKE! Im not even going to get back to zero. Fixing my team is going to basically take my wildcard, won't be able to get the team back to what it was due to the loss in value and now its behind the trend as then I dont have the means to react further down the road. Its just down the drain unless there is some form of fix. The motivation really has gone :'(

[wahine]

It's a poor response, surely they know when they have been hacked?

The chaos to the team could only be through malicious means.

With the so called twitter experts getting early team news advantage, and the probability that a good proportion of those nearly "9 million players" being multi entries, game could seriously be in trouble moving forward with that attitude.

what other troubleshooting could they be doing during the season that they don't have time to check out the obvious.

Yep a grumpy Kiwi again and it wasn't even my team - yet.

I hope you get a better response WOF - sigh

[wizardoffire]

Seems FPL sent a generic email out to all accounts over night

Dear FPL manager,

We are writing to all Fantasy Premier League (FPL) managers who have had their FPL account compromised in recent weeks.

Firstly, and importantly, we are very sorry this has happened to your FPL team and that your season has been impacted in this way. We understand that recent events have been deeply frustrating for users who invest significant time and effort in FPL and derive a great deal of enjoyment from the game. To that end, we would like to provide you with further detail so you can better understand how and why your FPL team has been compromised and how to mitigate the risk of future attacks.

Credential Stuffing

Over recent weeks, an increasing number of FPL accounts have been compromised. We believe the attacker has gained access to these accounts through a process known as ‘credential stuffing’. This is a type of cyber-attack where an attacker obtains a list of stolen login credentials from historic third-party data breaches. The attacker then systematically uses these credentials to attempt to login to another website or app. Most of these login attempts will fail, but where a user has adopted the same email address and password combination across multiple websites or apps the attacker may succeed and gain access to a user’s account. Internal investigations and analysis of our data logs have revealed behaviour that is consistent with credential stuffing.

The typical activity we have seen from the attacker once they have gained access to another FPL manager’s account is to change the team’s name, make multiple transfers resulting in a significant points deduction, add teams into new mini-leagues, and in some cases change the manager’s name.

We appreciate this is of little consolation to you now, but we have been actively trying to stop these attacks and have been successful in many instances.

Our systems

In response to the attacks, we have carried out robust internal system checks and there is no evidence of a security breach on our systems. This is in addition to various independent penetration tests carried out over the course of the last year.

Moving forwards, we will continue to maintain robust security defences as well as looking to identify new technological solutions that can help to bolster our existing security defences. We have also committed to offering all FPL managers two-factor authentication for the 2022/23 season onwards.

What you can do

If you have not done so already, please change the password on your FPL account as soon as possible. This is very important to ensure you secure your account and mitigate the risk of any further attacks. You can do this by logging into your account or by using the ‘Forgot your password?’ link on the login page. Please create a unique password that is not used elsewhere. It is also prudent to create a strong password that would be hard for an attacker to guess. In addition, we strongly encourage you to update your password(s) on other websites and apps to prevent you being targeted in the same way.

Points, chips and teams

We have received requests from FPL managers to reinstate transfer points, restore teams to how they appeared in previous Gameweeks, and return chips played or provide additional chips. Whilst, of course, we would love to be able to do this, it would be inconsistent with our policy in respect of such matters. In fairness to all FPL managers, in order to protect the integrity of FPL, and to ensure that we adopt a consistent policy across the game, we are unfortunately unable to grant these requests. This is as difficult a decision as it is disappointing for you, and we sympathise with your situation.

Again, we deeply regret the impact that this has had on FPL managers. We hope you can overcome it and continue playing FPL this season or return to play in the future.

Kind regards,
Fantasy Premier League

Make what you want of that but this email almost contradicts the email I shared yesterday. They said they can make exceptions but here they arent budging

The integrity of FPL has been ruined because teams have been affected that were competing. I was top 50k and well placed for a final season push.

[Mav3rick]

I don't really see how restoring a team selection, points and chips to a point before the unauthorised access is damaging the integrity of the game.

I can see that they don't want to have to judge when a player claims they were hacked and just regrets their wildcard, but in cases like the above where hundreds of points hits were taken its clearly not been done deliberately, I can't see an integrity issue.

[murf]

I don't really see how restoring a team selection, points and chips to a point before the unauthorised access is damaging the integrity of the game.

I can see that they don't want to have to judge when a player claims they were hacked and just regrets their wildcard, but in cases like the above where hundreds of points hits were taken its clearly not been done deliberately, I can't see an integrity issue.

So where do you draw the line in the sand in terms of number of transfers? When does drunken idiocy become clear hacking?

[Mav3rick]

That's my point, I can understand why FPL don't wanna have to make those decisions.

It's like VAR, you clear up the howler but then you get bogged down by armpits and toenails...

[murf]

But there has to be a line in the sand to define something where it isn't clear and obvious whether something is clear and obvious ir not.

[Mav3rick]

I think we are agreeing!

It's "obviously" an error in wizardoffire's case, and if we were being fair about this one case only then we can easily justify a correction on instinct. But do that for one manager and you have to make a rule, at which point the edge cases get blurred you'll get someone with a -8 who says it was a hack and wants it reverted.

I don't have a problem in saying wizardoffire's case is obviously unfair and should be reverted, but I cant define a boundary and I understand why FPL don't want to either, and hence the blanket "no correction" response.

[murf]

Have to agree - especially as this 'hack' is not in the slightest down to anything FPL have done wrong.

[wizardoffire]

even in a drunken stupor, firstly is anyone going to make 990 transfers? I've never gotten drunk so cant really speak from experience but I can't imagine anyone is capable of doing that. They might make what 15 transfers thinking they were wildcarding but forget to activate it and take the hit. These transfers were mass planned and Im fairly confident the same transfers were done across all affected accounts at the same time to get to the hackers final desired team.

I think I have said before Id happily be given a score of zero for the affected gameweek and still have my chips and team intact, than be left with this mess.

Re: the boundary of drawing a line... clearly something this excessive and making 990 transfers is enough to make an exception?

[Mav3rick]

I agree and as I said, in your case when you look at the situation as a human you can see its a hack and that the team, hits and chips should be reverted to the state before the hack, with either 0 points or just scoring as if you never changed the team. You just know intrinsically that is the fair and proportionate response.

The issue just comes when you codify the rules to cater for everyone in a objective way, say you set the limit at 100 transfers, well the hackers will stop at 99, but 99 is still unfair, so maybe you stop at 50 or 20 or 10. Then someone will regret a -8 and make another 6 transfers to reach the boundary, so you have to look at logs and judge if you think it was actually the same user or not. But many people legitimately use VPNs so you'll not know the difference, it's just messy, time consuming and ultimately unenforceable, so the default position is that nobody gets a reset, except in presumably some extremely high profile cases (did FFS' Andy get his team re-instated, I think so from memory).

The MFA is a good response (shame it wasn't in play sooner) and as individuals, we can do more to protect ourselves too (Bitwarden as a password manager I can thoroughly recommend).

I do honestly think you should get your team and points reverted, but I can understand why FPL don't want to poke the hornets nest.

[andybarrell]

Still top of the League......................all still to play for

23 League One Table.png