Authentication controls added to defend against account hijack threat

The English Premier League has introduced two-factor authentication (2FA) controls to its official Fantasy Premier League game (FPL), offering football fans the option to secure their accounts.

The debut of 2FA for the 2022/23 season follows a wave of account hijacking attack allegations over the last two seasons. Miscreants were said to have made multiple player ‘transfers’ from compromised accounts, leaving victims with weaker fantasy football teams while simultaneously racking up penalty points.


BACKGROUND Fantasy Premier League account hack surge prompts plans to introduce extra login checks for football fans


Victims struggled to make up lost ground and for many, their whole season was ruined. The as-yet unidentified attackers, whose potential motives could range from mischief to sabotage, were also in the habit of changing hacked victims’ team names.

Third parties caught ‘offside’

The FPL game had more than nine million players last season, but the wave of hack attacks seemed to have disproportionately targeted the most successful teams – those ranked in the top 100,000 of players.

Success in FPL allows players to win mini leagues and secure bragging rights over their friends. Getting ahead in the game requires close or at least weekly attention to the form and fixtures of Premier League stars that FPL participants select.

Although some compete in paid entry mini-leagues, the free-to-enter FPL is a hobby for most. Even so, many devote considerable effort to putting together the best possible squad, a task aided by a community of FPL YouTube channels and team selection assistance websites.

Some of these team selection sites offer the option of signing users using login details from the official FPL game rather than creating a new account with the third-party website. This practice leaves many at risk of so-called credential stuffing attacks if any of the FPL team management or stats sites they use happens to be breached.


Catch up on the latest password security news and analysis


Back in September 2021, early in the 21/22 season, the Premier League blamed account takeovers on users sharing login details with unnamed third-party websites.

“There is no indication or evidence of a security breach on the accounts of these individuals via fantasy.premierleague.com or the Premier League mobile app,” it said at the time.

One team management website, Fantasy Football Hub, suffered a hack weeks later in October 2021 that exposed usernames, emails, and hashed user passwords.

In response to the ongoing issue, the Premier League initially went for the half measure of tweaking how the game worked so that managers were prevented from making more than 20 transfers in a single game week, except in cases where a free hit chip was in play.

The change was criticized by the community as inadequate, prompting the Premier League to promise the introduction of 2FA – but only from the 2022-23 season onwards.

4-4-2FA formation

This pledge was honored with 2FA becoming a supported feature in the recent re-launch of the game for the 2022-23 season, ahead of the kick-off of games on August 5.

Adding two factor authentication to an account means that simply knowing a user’s login name and password is not enough – you also need a 2FA challenge code, typically a varying six-digit number that’s generated by an app.

The technology has been used by corporations for remote access to email for years, but more recently has become widely available to consumers as a means to add safeguards first to email, then social media, and now online gaming accounts.

The introduction of 2FA to fantasy football has been welcomed by the community, even though there have been some quibbles that the feature is tricky to find and not the easiest to activate.

In a typical response, Twitter user @FPL_Eire said: “Big thanks to @OfficialFPL for listening to the FPL Community and adding this to the game. Getting hacked is a stuff of nightmares for FPL managers so thankfully we won’t see this happen to anyone this year as a result.”


YOU MAY ALSO LIKE ‘Dirty dancing’ in OAuth: Researcher discloses how cyber-attacks can lead to account hijacking