The American Bar Association (ABA) suffered a data breach after hackers compromised its network and gained access to the old credentials of 1,466,000 members.
The ABA is the largest association of lawyers and legal professionals in the world, with 166,000 members beginning in 2022. The organization provides continuing education and services to attorneys and judges, as well as initiatives to improve the legal system in the United States.
On Thursday evening, the ABA began notifying members that a hacker had been detected on its network on March 17, 2003 and may have gained access to member login credentials for an old membership system put out of service in 2018.
“On March 17, 2023, the ABA observed unusual activity on its network. The incident response plan was immediately activated and cybersecurity experts were retained to assist in the investigation,” an email from notification sent to impacted members and seen by BleepingComputer.
“The investigation has determined that an unauthorized third party gained access to the ABA network on or about March 6, 2023 and may have acquired certain information.”
“On March 23, 2023, the investigation identified that an unauthorized third party had acquired hashed and salted usernames and passwords that you could have used to access online accounts on the old website. of the ABA before 2018 or on the ABA Career Center since 2018.”
BleepingComputer has been notified by the ABA that 1,466,000 members are affected by this breach.
Although BleepingComputer has learned that this was not a ransomware attack and that no corporate or personal data was stolen, there are some concerns that threat actors may misuse identifying information.
The American Bar Association says these legacy credentials were hashed and salted, meaning they were converted from plain text to a more secure format.
“They were both hashed and salted, which is a process by which random characters are added to the plaintext password, which is then converted on ABA systems to cybertext,” the ABA notification explains.
However, even with hashed and salted passwords, it is still possible for threat actors to shred passwords over time.
To make matters worse, the ABA claims that “in many cases” the password may have been a default password assigned by the ABA during account registration if it was not modified later.
What should ABA members do?
The problem is that members may have used the same credentials on the new member system as they did on the old system that closed in 2018.
If so, it is possible that threat actors could use these credentials to gain access to the current ABA membership portal.
Additionally, if the same credentials are used on other sites, threat actors could attempt to access other accounts used by the member.
Therefore, the ABA recommends that members change their passwords on the site and on any other site using the same credentials.
All ABA members are advised to also monitor spear-phishing emails impersonating the ABA, as threat actors may use them to gain access to other personal information.