Articles about this blythly state that Correa simply tried different versions of known passwords. But how did he know where to login?
Did he have a secret URL and if so how did he get it? Did he receive an email from a former St. Louis Cardinal employee now with the Houston Astros? Was it from:
If so, then Correa could put astrosecretdatabase.com into his browser and start to fiddle around to find where he could start trying to login.
It's much more understandable how the former St. Louis employees would know where to login to their former website. Of course, Correa had changed or more likely entirely deleted their accounts once they resigned. But they would know where to breach security.
But how would Chris Correa know where to start to get into the new and unknown Houston Astros database?