Skip to main content

How You Could Have Stopped the Houston Astros 'Hack'

Orbit, the Houston Astros' mascot, at Minute Maid Park in Houston during the 2014 Major League Baseball preseason. Credit: Erik Enfermero/Creative Commons

(Image credit: Orbit, the Houston Astros' mascot, at Minute Maid Park in Houston during the 2014 Major League Baseball preseason. Credit: Erik Enfermero/Creative Commons)

The St. Louis Cardinals are alleged to have "hacked" the Houston Astros, a rival Major League Baseball team, in order to get sensitive player data. Yet something needs to be made clear: This may not be a hack, but rather an example of extreme security stupidity that you can avoid.

According to The New York Times, the FBI and Justice Department are probing officials in the Cardinals' front office for allegedly accessing the Astros' player database. How was this apparently done? Astros officials who once worked for the Cardinals may have used the same passwords to log into both teams' systems.

MORE: 10 Best Mobile Password Managers

The Astros seem to have noticed the breach only after internal documents from the team's servers were anonymously posted online a year ago. According to The Times, the FBI quickly discovered that the Astros' networks had been penetrated from a computer at the home of some Cardinals officials.

As the sports blog Deadspin put it, "Everyone involved in the Cardinals hacking scandal seems to be an idiot."

For eight years, current Astros General Manager Jeff Luhnow was an executive with the Cardinals, where he helped run St. Louis' player database and used "Moneyball" number-crunching to build up the Cardinals' recruitment system.

In December 2011, soon after the Cardinals won the World Series, Luhnow and some other officials jumped ship to the Astros, another National League franchise that was at the time the worst team in Major League Baseball.

In 2013, the Astros switched to the American League and slowly crawled out of last place. They currently lead the American League West, while the Cardinals, with a .667 winning percentage, lead not only the National League Central, but all of Major League Baseball.

Possibly alarmed that Cardinals proprietary information had been stolen by Luhnow and other former officials to engineer the Astros' turnaround, Cardinals executives reportedly took a look at the list of passwords used by those officials to log into the Cardinals' player database when those officials had worked in St. Louis.

Lo and behold, according to The Times, at least some of those passwords were successfully used to log into the Astros' player database. In other words, some of the officials who left the Cardinals for the Astros used the same passwords at their new jobs.

Reusing passwords, as regular readers of Tom's Guide know, is very, very dumb. If you use the same password for two different sensitive accounts, it doesn't take a smart "hacker" to discover that unlocking one account will also unlock the other.

If you want to be smarter than an Astros front-office executive, follow these simple guidelines:

  • Never reuse a password for important accounts, such as online email accounts, social networks or accounts handling financial matters or playing statistics of professional athletes whom you pay.
  • Make sure all your passwords, even those you may reuse for unimportant accounts, are long and strong, with more than 12 digits, uppercase letters, lowercase letters and punctuation marks.

  • Whenever possible, enable two-factor authentication, which will force you to enter a code texted to or generated by your cellphone whenever you (or a miscreant) is logging into an account from an unfamiliar computer or device.

Paul Wagenseil is a senior editor at Tom's Guide focused on security and gaming. Follow him at @snd_wagenseilFollow Tom's Guide at @tomsguide, on Facebook and on Google+.

  • Arrias117
    "...digits, uppercase letters, lowercase letters and punctuation marks"

    Please, stop perpetuating this. Every time I see this listed in password requirements for any system it makes me die a little inside. Length matters near infinitely much more than "complexity". All this does is create passwords that are harder for the average user to remember.

    You want a secure password? Use a passphrase. (ex: "thispasswordissomuchbetterthanyourpassword")
  • Paul Wagenseil
    And that would be a lot stronger if it were "th15p455w0Rd!i5b3tter?th4Ny0urp455w0rd#".
  • Arrias117
    And that would be a lot stronger if it were "th15p455w0Rd!i5b3tter?th4Ny0urp455w0rd#".

    That password is ONLY stronger if the offender is absolutely sure the previous example password is only lower case. Also, mine is memorable for a user. Yours would be "more secure" right up until I walked past the average user's desk and saw it written down on a sticky note on their desk. I'd much rather we encourage people to make us of passwords that are both difficult to crack AND easy to remember as opposed to the opposite for short complex passwords.