The personal details of 1,133 NFL players and agents have been exposed in a data breach, according to cybersecurity researchers from Kromtech, a division of MacKeeper.
Discovered on 26 September, the leak has been blamed on a misconfigured database, with hijacked player details including email accounts, home addresses and phone numbers.
There was evidence that hackers were attempting to ransom the data – trying to force the server's admin to pay 0.1 bitcoin (£320) for the data to be returned.
Bob Diachenko, Kromtech's chief communications officer, said in a blog post this week (3 October) that a note titled "pleasereadthis" was found in the server.
Among others, the list of high-profile victims was found to include some of the top names in the NFL including former 49ers quarterback Colin Kaepernick, who had his details leaked in a plain text format.
On 3 February 2017, one of the alleged culprits left a ransom message inside the NFL database that read: "If payment is not made within 120 hours we will leak the database to the public."
Analysis of the unique bitcoin address showed that no transactions had been processed.
"This appears to be the first data leak of NFL player data and the most ironic part is that no hacking was involved, the data required no password or authentication," Diachenko wrote.
The leaky Elasticsearch server was believed to have been linked to the National Football League Players Association, or NLFPA. The full list of victims was not revealed.
According to Forbes, which first reported news of the breach, the NLFPA sent alerts to impacted agents on Monday (1 October) making them aware of the incident.
The database was reportedly secured by 29 September.
One unnamed agent, who did not want to be named, told Forbes that the player records were available online for a "two-hour period last week" and Microsoft had been helping clean up the breach. An NFLPA email noted: "We are directly informing all players involved."
Most of the victims, Forbes reported, were free agents like Kaepernick. Others names included quarterback Robert Griffin III and cornerback Darrelle Revis.
"It is logical to believe that criminals had access to this information and could have even targeted players or agents by using the credentials the database contained," Diachenko wrote.
"The NFL and its players would be a prime target for scams or fraud," he added.