All it took was one recycled password.
If you haven’t heard the news yet, former executive for the St. Louis Cardinals baseball team Christopher Correa has officially been sentenced to 46 months in prison for hacking. This victim in this case? (Former) Rival team the Houston Astros and their internal database/communications hub aptly named “Ground Control.”
So how does something like this happen? Baseball is supposed to be a game of integrity and sportsmanship! Well, it’s important to remember that America’s pastime is a business too. Big business.
And businesses are always looking to get a leg up on the competition.
The important thing to remember here is that this hack wasn’t sophisticated. Scenes of Correa sitting at a desk at 3 am downing his 3rd Red Bull and plowing through mountains of code didn’t occur.
What did happened was current Astros GM Jeff Luhnow left the Cardinals organization. When he did, he had to return his laptop to Christopher Correa. Correa then used the password attached to the laptop to “guess” the password used in the newly established “Ground Control” created under Luhnow, as well as the one he was using for his new email account.
Yes, he used *almost* the same exact password while going from one organization to another.
This allowed Correa to continue accessing the system even after passwords for it were reset.
Social engineering in its simplest form.
From that point on, Correa was able to access a virtual treasure trove of information, ranging from scouting reports to dialogue around potential trades (which apparently work almost the same way you’d barter with your buddies in fantasy baseball). All the good stuff you’d want to get the inside track on what a rival is doing.
The hack was only revealed many months later when an unknown person posted multiple messages of trade talks on the internet for all to see.
So, what’s the lesson that we can all learn in this? Well, for one, it’s the unfortunate truth that nobody is really safe from an online attack. Even a baseball team, whose majority of work is done out on a field and not in an office. As long as technology is involved in critical decision-making processes, there’s always a chance for an outsider, or insider, to improperly access it and use if for their own gain.
Oh, and one more thing. Please remember to change your password from time to time.
Don’t miss a post! Subscribe to The Insider Threat Security Blog here:
Nate is a Marketing Manager at STEALTHbits and has worked in the IT Security industry for 5 years.