MLB Teams Are Hacking Each Other's Dumb Passwords Now, Apparently

Illustration for article titled MLB Teams Are Hacking Each Other's Dumb Passwords Now, Apparently

The FBI’s Houston office is conducting an investigation into an alleged cyberattack against the Houston Astros by the St. Louis Cardinals, according to a New York Times report today. It’s the first time a pro sports team has hacked a rival (or the first time they’ve gotten caught), and involves—surprise!—a terrible, awful, embarrassing password mistake.


According to the report, the attackers gained access to the Astro’s “trades, proprietary statistics and scouting reports” kept by the team’s front office (some of which showed up on Deadspin last spring). How did the Cards gain access? Well, the FBI says their methods “did not appear to be sophisticated.” That’s a massive understatement.

Here’s what seems to have happened: Jeff Luhnow, the General Manager of the Astros, was the creator of the database in question, which he and the front office used to track things like internal discussions of trades and player information—important stuff, to be sure. But before Luhnow managed the Astros, he was the GM of the Cardinals, where he created a very similar database to track internal information.

When he moved over to the Astros in 2011, it seems as though Luhnow used the same password for his new database. The Cardinals used an old list of passwords to access his new Astros system. The NYT explains, emphasis mine:

Investigators believe Cardinals officials, concerned that Mr. Luhnow had taken their idea and proprietary baseball information to the Astros, examined a master list of passwords used by Mr. Luhnow and the other officials who had joined the Astros when they worked for the Cardinals. The Cardinals officials are believed to have used those passwords to gain access to the Astros’ network, law enforcement officials said.

You guys. Change your passwords. Enable two-factor. Especially if you’re not the general manager of professional sport team who jumps to a rival team. If this ends up being true—and we’ll have to wait and see, as subpoenas are just being served—it’ll be one of the dumber instances of corporate hacking ever. [New York Times]

Image: Dilip Vishwanat/Getty Images

Contact the author at



John Poe

Enabling a piece of homegrown software for two-factor auth is more difficult than you think. Also, those writing internal software generally assume that their software is not going to be accessed by outsiders.

The best option is to protect internal resources with a VPN and use Active Directory to manage VPN access. When someone leaves, they get removed from Active Directory and their access to the internal applications is also revoked. I realize this article covers the other way around but both applications should have been behind VPNs and then this probably wouldn’t have happened.