Ex-Cardinals exec: Yes, I hacked rival Astros’ database

Chris Correa, former scouting director for the professional US baseball team St. Louis Cardinals, pleaded guilty on Friday to five counts of computer hacking and admitted he repeatedly accessed a proprietary database belonging to a rival team – the Houston Astros – without authorization.

Correa, who started working for the Cardinals in 2009, was fired in July 2015 after he admitted to accessing the Astros’ database.

In June, investigations were launched by the FBI, the Astros and Major League Baseball into what looked like one of the best baseball teams in the US – the Cardinals – having apparently broken into a database belonging to one of the worst – the Astros.

Back in July, Correa admitted to hacking into the database but said it was only to determine whether the Astros had stolen proprietary data, according to a source with knowledge of the investigation who spoke with the St. Louis Post-Dispatch.

The database contained closely guarded, competitively vital information about players, including internal discussions about trades, proprietary statistics and scouting reports.

On Friday, the Department of Justice (DOJ) announced that Correa had come to a plea agreement, admitting that from March 2013 through to at least March 2014, he illicitly accessed the Astros’ database and/or email accounts of others in order to gain access to the Astros’ proprietary information.

The Astros, like many teams, have a database in which they keep measurements and analysis of in-game activities, scouting reports, statistics, contract information and other data.

The team calls its private, online database Ground Control.

Both Ground Control and Astros email accounts could be accessed online via password-protected accounts.

According to the DOJ, Correa got his hands on a former Astros employee’s passwords when the employee went to work for the Cardinals.

When the employee left the Cardinals and handed his work-issued laptop over to Correa, Correa could get at both the ex-employee’s password for Ground Control and for the employee’s Astros-issued email account, given that the employee was using a variant of the password he used at the Astros while he was with the Cardinals.

In other words, the employee was basically reusing the same password – with a minor tweak – while working for both teams.

It’s just the latest example of why reusing passwords is such a bad idea.

As we’ve explained, a reused password can effectively become a skeleton key to your whole online life.

We don’t know what password/password variant was at the heart of this series of database break-ins. But we do know how to pick a proper password: here’s a short, sweet video that shows you how.

Armed with the ex-employee’s login, Correa had free reign to trespass into the Astros’ Ground Control database.

During 2013, he got at scout rankings of every player eligible for the draft; viewed, among other things, an Astros weekly digest page that described the performance and injuries of prospects whom the Astros were considering; and got access to a regional scout’s estimates of prospects’ peak rise and the bonus he proposed be offered.

Correa also viewed the team’s scouting crosscheck page, which listed prospects who were seen by higher level scouts.

The DOJ says that during the June 2013 amateur draft, Correa also viewed information on players who hadn’t been drafted yet, as well as several players drafted by the Astros and other teams.

His intrusions continued into March 2014.

The Astros tried to beef up their security by requiring users to change their passwords to more complex passwords and by resetting all Ground Control passwords to a more complex default password.

The team then quickly emailed the new default password and a new URL to all Ground Control users.

Unfortunately for the beleaguered team, Correa had access to a viable Astros email account, so he got his hands on the new URL and the newly reset default password.

Within minutes, Correa used the information to access another person’s Ground Control account, from which he viewed a total of 118 webpages, including lists ranking the players whom Astros scouts desired in the upcoming draft, summaries of scouting evaluations and summaries of college players identified by the Astros’ analytics department as top performers.

The total loss for all of Correa’s intrusions is estimated to be about $1.7 million, US Attorney Kenneth Magidson said in the DOJ’s statement.

Each conviction of unauthorized access of a protected computer carries a maximum possible sentence of five years in federal prison and a possible $250,000 fine.

At Friday’s hearing, Correa told US District Judge Lynn Hughes that he accepted responsibility for trespassing – repeatedly.

The Washington Times quotes him:

It was stupid.

Correa’s free on $20,000 bond.

He’ll be sentenced in April.

Image of Fredbird, the official mascot of the Saint Louis Cardinals courtesy of R. Gino Santa Maria / Shutterstock.com