The FBI's Houston office is conducting an investigation into an alleged cyberattack against the Houston Astros by the St Louis Cardinals, according to a New York Times report today. It's the first time a pro sports team has hacked a rival (or the first time they have gotten caught), and involves -- surprise! -- a terrible, awful, embarrassing password mistake.
According to the report, the attackers gained access to the Astro's "trades, proprietary statistics and scouting reports" kept by the team's front office (some of which showed up on Deadspin last spring). How did the Cards gain access? Well, the FBI says their methods "did not appear to be sophisticated." That's a massive understatement.
Here's what seems to have happened: Jeff Luhnow, the General Manager of the Astros, was the creator of the database in question, which he and the front office used to track things like internal discussions of trades and player information -- important stuff, to be sure. But before Luhnow managed the Astros, he was the GM of the Cardinals, where he created a very similar database to track internal information.
When he moved over to the Astros in 2011, it seems as though Luhnow used the same password for his new database. The Cardinals used an old list of passwords to access his new Astros system. The NYT explains, emphasis mine:
Investigators believe Cardinals officials, concerned that Mr. Luhnow had taken their idea and proprietary baseball information to the Astros, examined a master list of passwords used by Mr. Luhnow and the other officials who had joined the Astros when they worked for the Cardinals. The Cardinals officials are believed to have used those passwords to gain access to the Astros' network, law enforcement officials said.
You guys. Change your passwords. Enable two-factor. Especially if you're not the general manager of professional sport team who jumps to a rival team. If this ends up being true -- and we'll have to wait and see, as subpoenas are just being served -- it will be one of the dumber instances of corporate hacking ever. [New York Times]
Picture: Dilip Vishwanat/Getty Images