FBG Data Breach? (1 Viewer)

[Keerock]

Just got this email from LasPass:

Breach alert: Action required

LastPass has detected that your personal data has been compromised in an online breach at another company or service. LastPass itself has not been breached.

FINDINGS
Compromised email: *****@*****.com
Compromised site: footballguys.com
Compromised data: Emails, Passwords
 

 

[Keerock]

I just changed my password on the site, but still concerning

 

[Keerock]

@Joe Bryant - do you know anything about this?

 

[Hawks64]

 

[Joe Bryant]

Thanks. We'll take a look there. Everything on our end seems completely normal but of course we'll see what we can there. 

 

[AAABatteries]

I keep all 40k posts backed up on Google Drive so I’m good.  Godspeed to the rest of you. 

 

[Chemical X]

Just got this email from LasPass:

Breach alert: Action required

LastPass has detected that your personal data has been compromised in an online breach at another company or service. LastPass itself has not been breached.

FINDINGS
Compromised email: *****@*****.com
Compromised site: footballguys.com
Compromised data: Emails, Passwords
 

if you give me your email and password and a valid credit card, i’ll check it out on my end.

 

[Galileo]

I keep all 40k posts backed up on Google Drive so I’m good.  Godspeed to the rest of you. 

It's the other 800 you will regret

 

[glvsav37]

they were just here looking for the Yoga Pants thread....they've moved on. 

 

[Caveman33]

I'm wondering if my account was involved in a data leak yesterday at the DMV.  They had a sign at the exit by the trash cans that said something like: "Please secure all documents containing personal identifying information.  Identity theft has been on the rise at this location."  However the sign was worded, it seemed to me that they were suggesting identity theft had been traced back to people throwing paperwork out at this DMV.  How careless and strange, I thought.    

The representative helping me apply was sassy.  She needed a supervisor signature and kept pestering the lady seated to the left who was busy helping another customer.  The rep on her right said "I'll see you at the unemployment line."  Please, my rep responded, they haven't fired me yet, they are never going to. Towards the end of our interaction, after she had made a copy of my birth certificate and entered my info into her computer, I noticed she jotted my SSN on the customer service slip which I assumed would be thrown out around this point.  It seemed strange that she would need to reference my SSN, which was visible on my digital application that she viewed on her computer.  But I'm not always in the mood to rock the boat so I let this pass without comment, walked over to the picture area and was told to expect my ID in the mail within 2-6 weeks.  But when can I expect to see new lines of credit opened in my name?

 

[BroncoFreak_2K3]

Dave Letterman:

Caveman33? Keerock. Keerock? Caveman33.

 

[Joe Bryant]

Last Pass wasn't very helpful for us but we were able to get to the company Last Pass works with on this. 

Here's our latest thought on it and what we're relaying to folks that ask. 

Rest assured, we take this issue very seriously, and our team is actively and aggressively investigating whether a breach has occurred. We have not found any evidence that this has happened.
 
From everything we can tell, it is very unlikely that our authentication system has been breached, either now or in the past. We have reached out to the security firm that provided this info to LastPass, and this does not appear to be the case. Instead, it seems that some Footballguys username and password combos may have been gathered - along with those from thousands of other sites - through other means. One such example is a data breach at a website unrelated to us, exposing a username and password that the user also used at Footballguys.
 
Changing your password regularly and using different passwords for different sites is always advisable.

We have a long history of keeping your data safe here at Footballguys and you and your data remain our top concerns.
 

 

[Keerock]

Thanks for checking @Joe Bryant - appreciate it!

 

[heckmanm]

FYI, I got a notification from IDTheftDefense yesterday afternoon, so it isn't just LastPass

Notification Details

Description: Email Detected: [my e-mail]

Data Breach: footballguys.com

Username: [my e-mail]

Exposed Data: Emails, Passwords

Breach Date: 07/27/2022

 

[3C's]

FYI, I got a notification from IDTheftDefense yesterday afternoon, so it isn't just LastPass

This has nothing to do with me coming back from the dead. Promise.

 

[Tick]

Stinkin' :e:

 

[Drunken Cowboy]

Do you use the password at multiple places?

 

[[icon]]

Just got notification from Credit Karma that my data was found in a beach from Footballguys in November 2022.

Sweet.

 

[Joe Bryant]

Just got notification from Credit Karma that my data was found in a beach from Footballguys in November 2022.

Sweet.

Can you post the exact message you received from Credit Karma?

We had a notification today from a poster that said the Credit Karma message was:

Reported on November 2022
In November 2022, Football Guys' database was allegedly breached. Even if you don't use your Football Guys account anymore, it's important to protect any info that was exposed.

We of course take this extremely seriously and will contact Credit Karma for more information. We are as certain as possible we have had no data breach. And we've taken every effort possible to ensure we don't have any breaches in the future.

If Credit Karma is saying something different than the above, please let us know.

 

[Simon Shepherd]

Hey @[icon]

We don’t currently believe that the Footballguys database was breached

We store passwords in hashed form, the result of a one way encryption. That’s a techie way to say, I’m a developer with Footballguys, and I can see our databases - but I don’t know what anyone’s passwords are.

Even if someone did find a way to get a copy of our databases, which of course we take every possible effort to make sure doesn’t happen; even then they wouldn’t know anyone’s passwords

The most likely way this “breach” has occurred is that someone has taken known username and password combos from other sites who have stored passwords as plain text, and then checked to see if those combos work on Footballguys also (and a ton of other sites around the web)

We follow all the reasonable security processes we can, including insisting on SSL, IP address login attempt limits, hashed passwords, and many others.

We’ll always keep an eye on reports like this. But I honestly don’t believe that our systems have been breached here. As I said to @Joe Bryant on our internal forums, if I thought there was the slightest chance they had, I’d lock myself to my computer until I’d figured it out!

 

[Sand]

Compared to the OPM breach, which I was a victim of, this is a penny in the ocean if true - which from the above is pretty dubious. Time to change another password, just in case, though.

 

[MAC_32]

Just got notification from Credit Karma that my data was found in a beach from Footballguys in November 2022.

Sweet.

Can you post the exact message you received from Credit Karma?

We had a notification today from a poster that said the Credit Karma message was:

Reported on November 2022
In November 2022, Football Guys' database was allegedly breached. Even if you don't use your Football Guys account anymore, it's important to protect any info that was exposed.

We of course take this extremely seriously and will contact Credit Karma for more information. We are as certain as possible we have had no data breach. And we've taken every effort possible to ensure we don't have any breaches in the future.

If Credit Karma is saying something different than the above, please let us know.

I got the same email and message from Credit Karma - email and password were breached.

 

[FairWarning]

Just got notification from Credit Karma that my data was found in a beach from Footballguys in November 2022.

Sweet.

Can you post the exact message you received from Credit Karma?

We had a notification today from a poster that said the Credit Karma message was:

Reported on November 2022
In November 2022, Football Guys' database was allegedly breached. Even if you don't use your Football Guys account anymore, it's important to protect any info that was exposed.

We of course take this extremely seriously and will contact Credit Karma for more information. We are as certain as possible we have had no data breach. And we've taken every effort possible to ensure we don't have any breaches in the future.

If Credit Karma is saying something different than the above, please let us know.

I got the same email and message from Credit Karma - email and password were breached.

Same here

 

[top dog]

Just went and looked at my Credit Karma and it also shows Footballguys as a data breach in November 2022. But it is referencing a password I don't use for this site or anywhere else. It was hacked years ago and I've never used that password again.

** Edited to add that according to Credit Karma my personal info has been in 34 data breaches including 2 exposed passwords (both of which I haven't used in years) **

​

Football Guys breach​

Reported on November 2022
In November 2022, Football Guys' database was allegedly breached. Even if you don't use your Football Guys account anymore, it's important to protect any info that was exposed.

---

Exposed Info​

Email address
XXXXXXXXX <- I redacted this from the email
Password
*********

---

Here's what you can do​

Stop using that password​

Hackers might use the password from this breach to try to gain access to other accounts, so it's important to change it anywhere it's used.
If you don't know what the password is or where else you use it, start by making sure you have different passwords for any accounts with sensitive info — like your banking app, health insurance site, tax software, email account, etc.

 

[notoriousbill]

I got the same warning from both of my ID protection companies today.

 

[Big League Chew]

Unique passwords. Frozen credit. Sit back and relax

 

[notoriousbill]

Unique passwords. Frozen credit. Sit back and relax

^^^^THIS^^^^

My credit has been frozen for years now after the Equifax debacle....

 

[AAABatteries]

How does one become a member of the internal forum?

 

[Galileo]

How does one become a member of the internal forum?

It's only for the cool kids

 

[AAABatteries]

How does one become a member of the internal forum?

It's only for the cool kids

 

[Juxtatarot]

How does one become a member of the internal forum?

You need to PM @shuke for approval.

 

[Joe Bryant]

Our @Memphis Foundry who is the most diligent person I know researched and put this together for us. This is obviously super important to us and we'll continue to do everything we can here.

Obviously, we take any security issue very seriously, and our team actively and aggressively investigated whether a breach has occurred. We have not found any evidence that this has happened. But we continue to be vigilant there.

It is very unlikely that our authentication system has been breached, either now or in the past. We confirmed this with the Dark Web monitoring firm that first discovered this file and reported it to the security software providers they serve.

Their analysis of the list revealed a relatively small number of Footballguys login credentials mixed in with login info from more than 25,000 other sites. Security researchers call these mixed credential lists "combolists" because they're gathered at different times through indirect means rather than a direct breach of a site's authentication systems.

Common methods of indirect credential harvesting include spyware and keyloggers installed on client devices, email phishing schemes, and reusing the same email and password on multiple websites.

Security researchers recommend changing passwords regularly and using a unique strong password for each site to reduce the risk presented by these distributed credential lists.

 

[Sand]

Our @Memphis Foundry who is the most diligent person I know researched and put this together for us. This is obviously super important to us and we'll continue to do everything we can here.

Obviously, we take any security issue very seriously, and our team actively and aggressively investigated whether a breach has occurred. We have not found any evidence that this has happened. But we continue to be vigilant there.

It is very unlikely that our authentication system has been breached, either now or in the past. We confirmed this with the Dark Web monitoring firm that first discovered this file and reported it to the security software providers they serve.

Their analysis of the list revealed a relatively small number of Footballguys login credentials mixed in with login info from more than 25,000 other sites. Security researchers call these mixed credential lists "combolists" because they're gathered at different times through indirect means rather than a direct breach of a site's authentication systems.

Common methods of indirect credential harvesting include spyware and keyloggers installed on client devices, email phishing schemes, and reusing the same email and password on multiple websites.

Security researchers recommend changing passwords regularly and using a unique strong password for each site to reduce the risk presented by these distributed credential lists.

That makes a lot of sense. Lots of ways to get credentials.

 

[Capella]

Remember if this account says something stupid and get suspended I was hacked and you should let me back in because it wasn’t really my fault.






I got the same credit notification and it had a PW I haven’t used in probably a decade. Not a concern from my end.

 

[GroveDiesel]

What’s ironic is that the first post says that he got a notification from LastPass that his login info here was potentially compromised. LastPass (a password management company) was actually breached recently and it turns out that they weren’t really using best practices and, unless you were using really strong passwords, every one of your logins that LastPass had is at risk. So that’s neat.

 

[Judge Smails]

I admit that I need to do way better with password and ID protection. What’s the FBG recommended approach?

 

[3C's]

Unique passwords. Frozen credit. Sit back and relax

^^^^THIS^^^^

My credit has been frozen for years now after the Equifax debacle....

Speaking of which, I got a $10 check from the court settlement yesterday. Drinks are is on me!

 

[grateful zed]

We store passwords in hashed form

 

[skol asylum]

I haven't heard anything from LifeLock about a breach here but I did just get one saying a bazillion Twitter accounts were exposed. Not surprising since Elon fired everyone.

 

[Sand]

What’s ironic is that the first post says that he got a notification from LastPass that his login info here was potentially compromised. LastPass (a password management company) was actually breached recently and it turns out that they weren’t really using best practices and, unless you were using really strong passwords, every one of your logins that LastPass had is at risk. So that’s neat.

I was part of this and luckily used a strong master password. Even so I changed the passwords to the important stuff, just to be sure. Still using LP without worry, though not terribly happy about a password company getting scammed into giving over credentials.

I admit that I need to do way better with password and ID protection. What’s the FBG recommended approach?

A good password program, probably Bitwarden. Setup a very strong, personally memorable, master password (>15 characters, with capitals, numbers, and symbols). Use Bitwarden to create super strong random passwords at about 20 letters long.

Don't use birthdays, middle names, or anything obvious for a master password. Use something memorable but not something that can be looked up by a bad guy. Add numbers and symbols, etc.

Use 2 factor authentication on the most important stuff - ie. banks, credit cards, portfolios, 401ks, etc.

That's pretty good hygiene and should work for anybody.

 

[Big League Chew]

Unique passwords. Frozen credit. Sit back and relax

^^^^THIS^^^^

My credit has been frozen for years now after the Equifax debacle....

I even froze my kids credit

 

[Galileo]

I haven't gotten anything about FBG, but I did get an email notice today regarding a data breach at FanDuel.

 

[KGB]

Well, when they log in, they had better not post anything stupid on my account, I can do that all by myself

 

[Corporation]

What’s ironic is that the first post says that he got a notification from LastPass that his login info here was potentially compromised. LastPass (a password management company) was actually breached recently and it turns out that they weren’t really using best practices and, unless you were using really strong passwords, every one of your logins that LastPass had is at risk. So that’s neat.

This has always been my fear with any password manager. If they get your master password, they then have it all.

 

[top dog]

Unique passwords. Frozen credit. Sit back and relax

^^^^THIS^^^^

My credit has been frozen for years now after the Equifax debacle....

Speaking of which, I got a $10 check from the court settlement yesterday. Drinks are is on me!

WHAT? YOU GOT $10?? MY CHECK WAS FOR EXACTLY $5.21! WHAT THE CRAP MAN?!

 

[Capella]

Unique passwords. Frozen credit. Sit back and relax

^^^^THIS^^^^

My credit has been frozen for years now after the Equifax debacle....

Speaking of which, I got a $10 check from the court settlement yesterday. Drinks are is on me!

Yea we got ours. Wasn’t this supposed to be like 300 bucks or something?

 

[Sand]

Unique passwords. Frozen credit. Sit back and relax

^^^^THIS^^^^

My credit has been frozen for years now after the Equifax debacle....

Speaking of which, I got a $10 check from the court settlement yesterday. Drinks are is on me!

Yea we got ours. Wasn’t this supposed to be like 300 bucks or something?

That was before the lawyers' cut. Zow thanks you.

 

[3C's]

Unique passwords. Frozen credit. Sit back and relax

^^^^THIS^^^^

My credit has been frozen for years now after the Equifax debacle....

Speaking of which, I got a $10 check from the court settlement yesterday. Drinks are is on me!

WHAT? YOU GOT $10?? MY CHECK WAS FOR EXACTLY $5.21! WHAT THE CRAP MAN?!

Nice! If we pool our money we can buy a 4 pack of craft beer.

 

[MAC_32]

I haven't gotten anything about FBG, but I did get an email notice today regarding a data breach at FanDuel.

Got that one too. Our data - it's everywhere and there isn't a damn thing we can do about it.

 

[Big League Chew]

Add on your exposure (t mobile crew)