Update: we sent out our password reset emails, and the domain used on them is bbp.cx, not baseballprospectus.com . bbp.cx is owned by Baseball Prospectus and is actually just a mirror of our baseballprospectus.com domain. We used the shorter URL to keep mailreaders from wrapping and breaking it. Apologies for the confusion.
On April 28, 2012, we disconnected the Baseball Prospectus email server from the Internet because it was behaving erratically. On May 6, 2012, we discovered that there had been an unauthorized intrusion into that server, which we believe lasted less than 24 hours. At the time, it did not appear that any subscriber information had been compromised. We immediately put in place strict measures to prevent any further compromise to member information via our other servers.
Earlier this week, a Premium Account member alerted us to the unauthorized publication of Baseball Prospectus username/password information on a hacking website. Thus far, our investigation shows that only a small number of Baseball Prospectus accounts have been compromised, and even with a username/password combination, accessing a member’s account would not provide access to any address or payment information. We have no evidence that there has been unauthorized access to a member’s account as a result of this breach.
We apologize for this and can assure you that we will continue to monitor this situation until full resolution is accomplished. Our senior staff is working closely with appropriate law enforcement agencies and Internet security experts, and we have been assured that our computer systems have been re-secured.
As a security precaution, we will immediately require that you reset your password for access to the Baseball Prospectus site. We will do this by sending a password reset email to every subscriber's email address, with instructions on the steps to take. This will ensure that your Baseball Prospectus account is under your exclusive control. If you have any issues or problems, please email us at firstname.lastname@example.org (if possible, including your username, real name, and email address as it appears in our records) and we will assist you.
We ask that you reset your account with a new password rather than your previous password to ensure as much security for your account as possible.
If you're one of those people who uses the same password for multiple sites, please consider changing your password for any account you have that used the same password as your BP Premium account. I know it’s a horrible pain, as I did it myself, and I apologize again for the intrusion on your time and effort. To reiterate, while it appears that only a small fraction of our accounts were published to the hacker site, and many of those had incorrect passwords, it’s possible that your BP username and password are available to bad people out there.
Once again, your protection has always been important to me and all BP staff, and I want you to feel secure in your online experience at Baseball Prospectus. Please feel free to email us at email@example.com with any questions, comments, or thoughts.
[Rob McQuown edit 5/26 – Some users have noted that they don't recall which password they used for their account, so even after changing their password, they don't know which of their passwords to change on other sites. To address this, once you've changed your password, you can check passwords against your old one (we don't have these on file in an unencrypted format) using this URL: http://www.baseballprospectus.com/testdir/test_password_old.php]