Skip to Content

Everything you need to know about the bizarre Astros baseball hack

St Louis Cardinals v Houston AstrosSt Louis Cardinals v Houston Astros
Thomas Pham #60 of the St. Louis Cardinals swings at a pitch during a spring training game against the Houston Astros at Osceola County Stadium on March 10, 2015 in Kissimmee, Florida. !Stacy Revere — Getty Images

The Federal Bureau of Investigation is investigating St. Louis Cardinals front office employees for allegedly hacking into the computer systems of the Houston Astros, the New York Times reported Tuesday.

That word “hacking” has a funny ring to it once you dig into the details—this was by no means a high-tech affair on the level of foreign intrusions into American government networks. Yet this is exactly what a lot of “hacking” involves: Lapses, blunders, and bungles. It doesn’t take a crack squad of NSA whizzes to shuck open protected databases like a washed ashore shellfish. A target who fails to use proper password protections is all any adversary needs.

The primary victim in the Astros case, Jeff Luhnow, once worked for the Cardinals as a statistics expert. There he built a luminary database tool to give the team an edge, codenamed “Red Bird Dog.” But he never quite fit in there, as a profile in Businessweek details. Luhnow eventually flew the Cardinals coop, bringing his know-how in developing a signature data analytics platform with him to Houston. This one was called “Ground Control.” Its aim? To rejuvenate the struggling baseball team via big data and predictive analytics.

For all its Moneyball-esque hype, Luhnow’s secret weapon seems to have been felled by nothing short of bad password hygiene. As the law enforcement officers cited by the Times suggest, Luhnow failed to refresh the password protections on his system when developing the new tool at—or porting it over to—his new gig:*

Investigators believe Cardinals officials, concerned that Mr. Luhnow had taken their idea and proprietary baseball information to the Astros, examined a master list of passwords used by Mr. Luhnow and the other officials who had joined the Astros when they worked for the Cardinals. The Cardinals officials are believed to have used those passwords to gain access to the Astros’ network, law enforcement officials said.

The investigators presume Luhnow’s former colleagues gained access to the Astros’ precious database simply by peaking at Luhnow’s old passwords list. But Luhnow isn’t the only person to be sloppy; the so-called hackers were no better.

As if Luhnow’s possible password reuse wasn’t enough, the thieves—believed to be Luhnow’s old colleagues in the Cardinals’ front office—apparently launched the intrusion right from their own home. “Agents soon found that the Astros’ network had been entered from a computer at a home that some Cardinals officials had lived in,” the Times says. That’s a rookie mistake. As Deadspin writer Tom Ley advises, “Go find, like, an Internet cafe or something.”

But one detail from the story seems out of place. Why would Cardinals officials bother to post nearly a year’s worth of hacked Astros’ data to Anonbin, an online repository for leaked information? Was it done simply as a covert smear tactic to embarrass the Astros? Wouldn’t it be wiser to keep that information private and use it solely to gain a competitive advantage?

Of course, the investigation is ongoing, there is no way to know for sure who did what just yet. Perhaps the Cardinals and Major League Baseball officials’ subpoenaed communications will reveal more information. But if the reports are to be believed, then Moneyball-style stats may have revolutionized the game, but MLB officials are still dopes when it comes to cybersecurity.

Subscribe to Data Sheet, Fortune’s daily newsletter on the business of technology.

***

* Update June 18, 2015: In an exclusive interview with Sports Illustrated, a sibling publication to Fortune, Astros’ general manager Jeff Luhnow disputed a number of the claims in the original New York Times story. He says he did not recycle passwords between the databases (to wit: “that’s absolutely false”), did not take any proprietary information from his time at the Cardinals with him to the Astros (“I didn’t take anything, any proprietary information. Nor have we ever received any inquiries from anybody that even suggested that we had”), and did not have a strained relationship with his former colleagues (“This wasn’t a bad breakup. It was a happy promotion of a person to a higher position in another organization”). Read the full report on SI.com.