Cardinals hacker gets 4 years in prison

A story of dumb password usage, good intentions, and bad actions — and how all these led to the imprisonment of a former St. Louis Cardinals scouting director.

A former scouting director for the St. Louis Cardinals gets 4 years in prison for hacking into another baseball team’s database.

In sports, teams are always looking for ways to get ahead. Players and teams continually, frantically search for new ways to squash their competition en route to claiming another title. After all, the more they win, the more they get paid.

Sometimes that involves the use of performance-enhancing drugs, substances that could help with eluding opponents, improving a grip, or theatrical flopping — an edge is an edge right? Last year, we saw Major League Baseball’s St. Louis Cardinals take the competitive edge to a new level — hacking.

Yes, you read that correctly. Back in June of last year, Dennis Fisher penned a story on Threatpost with this lede: “In one of the more bizarre alleged hacking stories to emerge recently, federal authorities are investigating whether employees of the St. Louis Cardinals hacked into systems belonging to the Houston Astros and got access to internal team conversations about players, trades, scouting reports, and other sensitive information.”

As anyone knows who reads Kaspersky Daily or Threatpost regularly, hacking is nothing new, and it actually happens quite regularly. What made this hack noteworthy was not that it happened, but rather how it happened.

Houston Astros General Manager Jeff Luhnow was a polarizing executive during his time with the Cardinals. And according to initial reports on this story, it appeared that executives from the Cardinals tried to access the Astros’ systems by using Luhnow’s old passwords.

Now fast forward a little over a year from the initial reports. Chris Correa, a former scouting director for the Cardinals, has been sentenced to 46 months in prison after admitting that he had hacked the databases.

According to the St. Louis Post-Dispatch: “During his guilty plea six months ago, Correa contended he hacked into the Astros accounts to see if former Cardinals employees had taken proprietary data or statistical models to use in their new positions with the Astros. Correa told prosecutors he found evidence that it did occur.”

Looking at the above statement, you can see there may have been some forces for good at play, but even if so, the execution was just wrong. It also goes to show that when you access data without permission, there can be real-world repercussions. So — don’t hack, kids. Even if you think your motives are good or fair. Even if you are not using any special hacking software and are just logging into someone else’s account with their password, which you happen to know.

The incident also shows that it is not a good idea to share passwords, or to reuse them. If former coworkers knew of a common password(s) and/or user name(s) used by Luhnow, they could have gotten to much more sensitive information than baseball prospect notes and personnel information — they could potentially have obtained personal financial information.

This particular case happened in MLB, but that is not to say any other sort of team looking to gain an edge would not to do this — say, in the Premier League, FIFA, or the Olympics. And it probably does happen; we simply don’t know about it yet.

So, a short takeaway:

  1. Once again, don’t hack. Just don’t.
  2. Use passwords appropriately and well. You can read about password reuse and freshness here, and check if your passwords are good enough here.