Stealing Bases With Leaked Passwords

June 18, 2015
| |
2 min read

Baseball is a sport in which stealing bases is encouraged. Stealing bases can only be accomplished by the fastest, most agile players, providing a tremendous advantage to the offense by advancing players into better scoring positions.

Recent news about the St. Louis Cardinals being under investigation by the FBI and Justice Department prosecutors for allegedly hacking into one of the Houston Astros’ internal networks and allegedly stealing information from its database brings an unwanted new twist to the term stealing base. According to law enforcement officials, FBI investigators have “uncovered evidence that Cardinals employees broke into a network of the Astros that housed ‘special databases'” and compromised internal information about trades, proprietary statistics and scouting reports. The New York Times reported that this breach is the first known case of professional sports corporate espionage in which one team hacked the other team’s network.

The reported breach doesn’t appear to have been very sophisticated. It looks like the perpetrators relied on past behavior and passwords used for a previous Cardinals database to break into a newer version of the same database — this time, the Astros. The Cardinals used a computer program that houses all of the Cardinals’ baseball operations information, including scouting reports and player information. Access to the program for Cardinals executives was controlled via password. After former Cardinals executive Jeff Luhnow left the team and joined the Astros, he created a similar program to house the Astros’ “collective baseball knowledge.” Apparently, the alleged hackers used the Cardinals’ master list of passwords to break into the new Houston program; those same passwords provided access the Astros’ system, as well.

It is a known fact that many people reuse their passwords. Managing and remembering multiple different passwords is a hassle. In order to minimize the number of passwords users need to remember, some will reuse the same password over and over. In some cases, they use the same passwords for both corporate systems and personal apps. This is a dangerous practice because, if stolen or exposed to others, that single password can provide access to multiple systems and sites. Furthermore, cybercriminals know this, which is why even seemingly innocuous credentials are so valuable to them. There is no shortage of examples of websites that were breached and user credentials stolen. Just this week, we wrote about the breach incident at LastPass, a cloud-based password manager.

In an era of boundless data breaches and targeted attacks, it is imperative that organizations enforce password security policies that require employees to use different passwords for accessing corporate resources and personal apps. This can easily be achieved with credential protection platforms that can automatically alert on, and optionally prevent, password reuse by employees. As this breach demonstrates, exposed or stolen credentials can have a far-reaching impact, both on the financial side as well as the overall impact to the brand.

Dana Tamir
Director of Enterprise Security at Trusteer, an IBM Company

Dana Tamir is Director of Enterprise Security at Trusteer, an IBM Company. In her role she leads activities related to enterprise advanced threat protection ...
read more