Skip to content
Naked Security Naked Security

Ex-Cardinals exec: Yes, I hacked rival Astros’ database

Chris Correa, former scouting director, confessed to five counts of hacking and prying out confidential information.

Chris Correa, former scouting director for the professional US baseball team St. Louis Cardinals, pleaded guilty on Friday to five counts of computer hacking and admitted he repeatedly accessed a proprietary database belonging to a rival team – the Houston Astros – without authorization.

Correa, who started working for the Cardinals in 2009, was fired in July 2015 after he admitted to accessing the Astros’ database.

In June, investigations were launched by the FBI, the Astros and Major League Baseball into what looked like one of the best baseball teams in the US – the Cardinals – having apparently broken into a database belonging to one of the worst – the Astros.

Back in July, Correa admitted to hacking into the database but said it was only to determine whether the Astros had stolen proprietary data, according to a source with knowledge of the investigation who spoke with the St. Louis Post-Dispatch.

The database contained closely guarded, competitively vital information about players, including internal discussions about trades, proprietary statistics and scouting reports.

On Friday, the Department of Justice (DOJ) announced that Correa had come to a plea agreement, admitting that from March 2013 through to at least March 2014, he illicitly accessed the Astros’ database and/or email accounts of others in order to gain access to the Astros’ proprietary information.

The Astros, like many teams, have a database in which they keep measurements and analysis of in-game activities, scouting reports, statistics, contract information and other data.

The team calls its private, online database Ground Control.

Both Ground Control and Astros email accounts could be accessed online via password-protected accounts.

According to the DOJ, Correa got his hands on a former Astros employee’s passwords when the employee went to work for the Cardinals.

When the employee left the Cardinals and handed his work-issued laptop over to Correa, Correa could get at both the ex-employee’s password for Ground Control and for the employee’s Astros-issued email account, given that the employee was using a variant of the password he used at the Astros while he was with the Cardinals.

In other words, the employee was basically reusing the same password – with a minor tweak – while working for both teams.

It’s just the latest example of why reusing passwords is such a bad idea.

As we’ve explained, a reused password can effectively become a skeleton key to your whole online life.

We don’t know what password/password variant was at the heart of this series of database break-ins. But we do know how to pick a proper password: here’s a short, sweet video that shows you how.

Armed with the ex-employee’s login, Correa had free reign to trespass into the Astros’ Ground Control database.

During 2013, he got at scout rankings of every player eligible for the draft; viewed, among other things, an Astros weekly digest page that described the performance and injuries of prospects whom the Astros were considering; and got access to a regional scout’s estimates of prospects’ peak rise and the bonus he proposed be offered.

Correa also viewed the team’s scouting crosscheck page, which listed prospects who were seen by higher level scouts.

The DOJ says that during the June 2013 amateur draft, Correa also viewed information on players who hadn’t been drafted yet, as well as several players drafted by the Astros and other teams.

His intrusions continued into March 2014.

The Astros tried to beef up their security by requiring users to change their passwords to more complex passwords and by resetting all Ground Control passwords to a more complex default password.

The team then quickly emailed the new default password and a new URL to all Ground Control users.

Unfortunately for the beleaguered team, Correa had access to a viable Astros email account, so he got his hands on the new URL and the newly reset default password.

Within minutes, Correa used the information to access another person’s Ground Control account, from which he viewed a total of 118 webpages, including lists ranking the players whom Astros scouts desired in the upcoming draft, summaries of scouting evaluations and summaries of college players identified by the Astros’ analytics department as top performers.

The total loss for all of Correa’s intrusions is estimated to be about $1.7 million, US Attorney Kenneth Magidson said in the DOJ’s statement.

Each conviction of unauthorized access of a protected computer carries a maximum possible sentence of five years in federal prison and a possible $250,000 fine.

At Friday’s hearing, Correa told US District Judge Lynn Hughes that he accepted responsibility for trespassing – repeatedly.

The Washington Times quotes him:

It was stupid.

Correa’s free on $20,000 bond.

He’ll be sentenced in April.

Image of Fredbird, the official mascot of the Saint Louis Cardinals courtesy of R. Gino Santa Maria /


Normally, we would say to “throw the book at him” as punishment. In this case, we should get Aroldis Chapman to throw beanballs at him.


This isn’t hacking but poor password management. The title is misleading.


I think the word “hacking” these days covers a multitude of sins (and also, as of old, acceptable digging around, too), and is unexceptionable in this context. The more technical amongst us might prefer “hacking” to be something that only elite techies could pull off, but that just raises the question, “Who sets the bar?” The old-school amongst us might prefer “hacking” to mean “technically excellent tricks for good only”, but that just ignores the fact that language evolves. (As an example, egregious comes from Latin – “standing out from the flock” – and originally meant “of the highest excellence.” Now, it means exactly the opposite: standing out by being the lowest of the low. So it goes.)

Anyway, I’d rather avoid victim-blaming. There was poor password management…*and* there was illegal access, compounded IMO after the password was changed to make it clear that the old one had been misused. You wouldn’t say, “It wasn’t breaking-and-entering because the guy left an unused brick just under to his own kitchen window. It was his own fault the non-crooks got in.”

My 2c.


Leave a Reply

Your email address will not be published. Required fields are marked *

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?
You’re now subscribed!