There’s No Hacking in Baseball (or is There?)

One morning, last week, coffee in hand, I opened the sports page of my local newspaper and the top story wasn’t about the latest pitcher to toss a no-hitter. There was nothing on the front page about game 6 of the NBA finals. Instead, the lead story was that it was recently revealed that there is a federal investigation underway to determine whether the St. Louis Cardinals hacked into the computers of the Houston Astros.

So it’s come to this. Has cybercrime become so mainstream that sports teams will now employ sophisticated hackers to infiltrate rival’s systems to gain an edge on the competition? Will we see an asterisk in the history books next to the latest champion to win because it was found that the team used cyber espionage to gain the upper hand? I jest, but the fact is, this just isn’t funny.

According to the New York Times, “Investigators uncovered evidence that Cardinals employees broke into a network of the Astros that housed a special database the team had built…internal discussions about trades, proprietary statistics and scouting reports were compromised, said the officials…” According to investigators, the alleged break in can’t be credited to some sophisticated hacking scheme, but instead to a simple case of compromised credentials.

To those of us in the cyber security field, the sins of bad password hygiene are well known. SplashData’s Worst Passwords List shows that many people and organizations continue to put themselves in harm’s way by using easily guessable and weak passwords. In addition, the re-use of passwords across systems and websites has proven to be the door to many savings accounts.

In fact, our recent research on password security indicates that less than 21% of respondents use unique passwords for online accounts. And if the FBI’s investigation into the Astro’s data breach proves out their initial findings, it would be the classic case of poor password management.

So, what to do? For the Astros, it’s “too little too late.” But take note: There are lessons to be learned.

I’m probably not telling anyone that would read this something that they don’t already know. But knowing and doing are two different things, and if you repeatedly hear that you should do something, then you’re probably more likely to do it. Here are a few ways you can make your passwords more secure:

  1. If you have anything at all running in your network that might still have a default password on it, change it.
  2. Make your passwords stronger. Eight character passwords are a start. But let’s be really secure and stop calling them passwords. Instead let’s change the way we think and start calling them passphrases—meaning 16 characters or longer with a mix of upper and lower case letters, numbers and special characters. But don’t make it so hard that you have to write it down.
  3. Learn from the mistakes of the Astros and never, ever, use the same password, or just one password. In other words, the password you use for your Facebook account shouldn’t be the same one you use for your mobile banking.

Would better password hygiene have been enough to keep the St. Louis Cardinals a bay? Good password management alone might have been enough to thwart these non-sophisticated cyber thieves. But if a baseball team’s staff members were able to steal another team’s sensitive data, just think of what vulnerabilities might be found if a real cyber-sleuth is creeping around your company’s back door?