Fork me on Github
Fork me on Github

Joe Dog Software

Proudly serving the Internets since 1999

up arrow Did The St. Louis Cardinals Hack Into Another Team’s Database?

By jdfulmer | Published June 30, 2015 | Leave a comment

Get A Brain! Morans - Did St. Louis Hack the Astro's databaseYour JoeDog roots for the Pittsburgh Pirates. They are a major league baseball team in the same division as the St. Louis Cardinals. On June 16, the New York Times broke a bombshell story about the Cardinals. They were under investigation by the FBI for breaking into a Houston Astros database.

That seems like an odd choice, right? At the time of the 2013 breach, the Astros weren’t particularly good. They weren’t even in the same division as the Cardinals. Yet they did have something with which St. Louis was familiar, a General Manager named Jeff Luhnow. He worked with the Cardinals before he was hired by Houston in 2011.

When Luhnow was with the Cardinals, he built a computer system known as Redbird. It was a large database filled with scouting information and player analysis. In Houston, he built a similar system called Ground Control. It was basically Redbird under a different name. So St. Louis was familiar with the system but by 2013 they didn’t have Luhnow’s updated information. Did they breach Houston’s computers in order to obtain it? The FBI thinks that’s possible.

One of FBI’s supoenas sought information on the IP addresses from which the attackers logged into Ground Control. It is believed those addresses point directly to the Cardinals or Cardinals’ personnel. The breach itself wasn’t particularly sophisticated. The attacker just stone cold logged in with a password. Again, this takes us back to St. Louis.

Remember, Luhnow used to work with the Cardinals. He brought several Cardinals’ employees with him to Houston. There’s a pretty good chance they had dormant accounts back in St. Louis. Those accounts had login credentials. If any of those former Cardinals employees reused their credentials in Houston, St. Louis had everything it needed to break in.

In the worst case for computer security, St. Louis stored its passwords in the clear (or an employee left a sticky note on his desk). With this information, all they needed to do was log in. If passwords were stored in a secure hash, then St. Louis could have downloaded a password cracker like John The Ripper to get the goods.

This goes beyond anything Tom Brady did. This is no Deflategate. If the accusations hold, then people in St. Louis committed wire fraud, computer hacking, corporate espionage and theft of trade secrets. Those crimes are punishable with incarceration. The guilty won’t find a low level equipment manager to take the fall for this one. The stakes are way too high for that.