The personal information of more than 1,100 NFL players, including controversial free agent quarterback Colin Kaepernick, was left exposed in an unsecured and publicly accessible database, according to security researchers.

Included in the information, which was hosted in an open Elasticsearch database hosted on a server for NFLPA.com—the website for the NFL Players Association (NFLPA)—was contact information for more than 1,133 NFL players and their agents.

The email addresses, mobile phone numbers, home addresses of agents and players and IP addresses associated with a user when they sign in and access the site were all logged and stored in the exposed database that could be accessed by anyone who knew or came across the URL where it was hosted.

In total, 1,262 email accounts for players and agents were leaked, including 75 email addresses linked to the NFLPA. Information about advisor fee percentages were also included in the database, along with 26,271 IP addresses associated with logins from players and agents.

Not all current NFL players who used the NFLPA website were included in the leak, but a number of free agent players were. Among those who had information exposed were former San Francisco 49ers quarterback Colin Kaepernick; free agent quarterback Robert Griffin III, who was last a member of the Cleveland Browns; and former New York Jets cornerback Darrelle Revis.

The database was discovered by Bob Diachenko, the chief communications officer at cybersecurity company Kromtech Security. Diachenko came across the open Elasticsearch database last week and disclosed the exposure to the NFLPA.

The database has since been secured, although the NFLPA has yet to publicly acknowledge the exposure or respond to request for comment. The organization did send an email to agents on Monday alerting them of the exposure.

"We have worked with cybersecurity experts at Microsoft and our database consultant to determine the extent of the improper access. We are confident that it was limited to a two-hour period last week," the NFLPA email, which was obtained by Forbes, said.

"We want to emphasize that no information about you or your player's Social Security Number or finances was in the data. Also, we are directly informing all players involved," the email noted. "In addition to our work with Microsoft, we are engaging an independent firm to do a full review of all of our cybersecurity measures."

While the server may be secure now, it was likely left exposed for a significant period of time—much longer than the two hours the NFLPA claims—and Diachenko was not the first to discover it.

According to Kromtech’s chief communications officer, the database was compromised by the time he discovered it and contained a ransom note left by a malicious actor who gained access to the database in February.

Details about the previous party to access the database are unknown, but the ransom note contained a threat claiming the information stolen from the repository would be publicly released unless the NFLPA paid a ransom.

The ransomers demanded 0.1 Bitcon (approximately $429 at the time of publication) be sent to a Bitcoin wallet. The ransom note gave the NFLPA 120 hours to fulfill the demand. While it is unclear if that demand was met, the Bitcoin wallet associated with the ransom attempt is empty and the 120 hour period has long since passed and the information was not released by the attackers.

RELATED STORIES
Security NFL Security Security