Did Recycled Passwords Lead to Hack of Houston Astros?

Houston AstrosSometimes hackers need to use sophisticated techniques to get into computer networks.

But sometimes the victims make it WAAAAAYYYY too easy – as this case may demonstrate.

The Moneyball Hack

As reported by the New York Times, the US Justice Department and the FBI are investigating front office personnel for the St. Louis Cardinals Major League Baseball team.

The Cardinals are believed to have broken into the computer system of the Houston Astros in order to see data about Astros players.

As Fortune said in reporting on this story,

That word “hacking” has a funny ring to it once you dig into the details—this was by no means a high-tech affair on the level of foreign intrusions into American government networks. Yet this is exactly what a lot of “hacking” involves: Lapses, blunders, and bungles. It doesn’t take a crack squad of NSA whizzes to shuck open protected databases like a washed ashore shellfish. A target who fails to use proper password protections is all any adversary needs.

(Emphasis added – and we couldn’t agree more.)

According to the Times,

Law enforcement officials believe the hacking was executed by vengeful front-office employees for the Cardinals hoping to wreak havoc on the work of Jeff Luhnow, the Astros’ general manager, who had been a successful and polarizing executive with the Cardinals until 2011.

Luhnow was a proponent of the “Moneyball” theory of baseball management and helped the Cardinals create a computer system for better managing the team’s data. The premise of Moneyball is that the “collective wisdom” of baseball coaches and managers about player value is often wrong, and that statistical analysis can be used to identify players undervalued by the market.

The concept became well-known via the 2003 book Moneyball: The Art of Winning an Unfair Game by Michael Lewis. The book was adapted as an award-winning hit movie starring Brad Pitt.

When Luhnow left the Cardinals, he created a similar data management system for the Astros.

Poor Password Hygiene?

According to the Times:

Investigators believe that Cardinals personnel, concerned that Mr. Luhnow had taken their idea and proprietary baseball information to the Astros, examined a master list of passwords used by Mr. Luhnow and the other officials when they worked for the Cardinals. The Cardinals employees are believed to have used those passwords to gain access to the Astros’ network, law enforcement officials said.

(Emphasis added.)

In an interview with Sports Illustrated, Luhnow denied the allegations in the Times article about recycled passwords:

“That’s absolutely false,” said Luhnow, who worked as a technology executive before he began his career in baseball. “I absolutely know about password hygiene and best practices. I’m certainly aware of how important passwords are, as well as of the importance of keeping them updated. A lot of my job in baseball, as it was in high tech, is to make sure that intellectual property is protected. I take that seriously and hold myself and those who work for me to a very high standard.”

(Emphasis added.)

Feeling Violated

While some team statistics are public information, and fantasy baseball leagues run on such statistics, teams also collect non-public data.

Documents reportedly taken from the Astros and relating to about 10 months’ worth of discussions about trades were posted online at Anobin, a site for sharing hacked or leaked information. It’s not clear why these discussions, from 2013-2014 were leaked, other than to potentially embarrass the Astros.

Luhnow said when he learned about the breach,

It was like coming home and seeing your house has been broken into. You feel violated when someone does that without permission.

He called 29 major league general managers to apologize for private notes about Astros conversations with them had been leaked.

“Those were not fun calls to make,” he said.


As we’ve said time and again, human beings are dumb about passwords. They use the same ones over and over, in all kinds of contexts. “Updating” passwords every few months isn’t nearly good enough to stop a determined hacker.

Any “security” system that relies on passwords is inherently vulnerable. We need to do better – because more than baseball statistics are at stake.

Our Bolt-On Strong Security provides a solution to the weakness of passwords. To learn more about PACid’s Five Levels of Data Security, please click here.