Basic security mistake led to the Houston Astros hack that shook baseball

One of the most common security mistakes made it easy for a Cardinals executive to dig through the Astros' data. Photo / Getty Images

Former St. Louis Cardinals executive Christopher Correa was sentenced to 46 months in prison this week for violating federal hacking laws as part of a cyberespionage campaign that shook the world of baseball last summer.

Correa's crime sounds high tech at first glance: He broke into the Houston Astros' online statistics database, siphoning valuable information about scouting reports, trade negotiations and player analytics that can make or break a team's strategies.

But details of the breach revealed in the plea deal Correa struck in January showed that he wasn't some criminal mastermind. Instead, his data heist hinged on one of the most common security mistakes: a bad password.

When a Cardinals staffer identified as Victim A in the court documents - thought by many to be Jeff Luhnow, a former Cardinals scout who is the Astros' general manager - left for the Houston team in December 2011, he was told to hand over his work laptop and its password to Correa, according to court documents.

Correa then used variations of the former employee's password to try to access the Astros' stats database, dubbed "Ground Control."

By March 2013, Correa had guessed the employee's new password and used his login to spy on the information in Ground Control.

According to his plea deal, Correa accessed information such as how the Astros ranked every player eligible for that year's draft, along with other confidential data.

He broke in again at the end of July 2013 - during the crucial period before a key deadline for trading players - and reviewed notes about the Astros' trade negotiations.

Correa persisted even after the Astros updated their system. He logged in to the former employee's email account and found a default password the team had emailed to people with access to Ground Control to use until the next time they could sign in and change their passwords.

The FBI began investigating a potential breach in Ground Control after trade negotiation information that was stored in the database was leaked online in 2014, eventually uncovering Correa's scheme.

Altogether, the plea deal estimates that Correa's intrusions amounted to $1.7 million worth of damage to the team. So now he is headed to prison and will pay $279,038 in restitution. But the Astros also learned an expensive lesson about good password hygiene: Tweaking a password isn't enough to keep important accounts safe.