The American Bar Association (ABA) has suffered a data breach after hackers compromised its network and gained access to older credentials for 1,466,000 members. The ABA is the largest association of lawyers and legal professionals globally, with 166,000 members as of 2022. The credentials were from a legacy member system that was decommissioned in 2018.
The hacker was detected on its network on March 17th, 2023, and may have gained access to members’ login credentials.
The investigation determined that an unauthorized third party acquired usernames and hashed and salted passwords that members may have used to access online accounts on the old ABA website prior to 2018 or the ABA Career Center since 2018.
Although no corporate or personal data was stolen, there are some concerns that the threat actors could abuse the credentials. The ABA says that “in many instances” the password may have been a default password assigned by the ABA when the account was registered if it was not later changed.
Even with the passwords being hashed and salted, it is still possible for threat actors to dehash the passwords over time.
If members have used the same credentials on the new member system as those on the legacy system shut down in 2018, it may be possible for the threat actors to use those credentials to gain access to the current ABA membership portal.
Therefore, the ABA recommends that members change their passwords on the site and any other sites utilizing the same credentials. All ABA members are advised to also watch for spear-phishing emails impersonating the ABA, as threat actors may use them to access further personal information.
In summary, the ABA has notified members of a data breach caused by hackers who may have gained access to older credentials for 1,466,000 members. These credentials were from a legacy member system that was decommissioned in 2018, and the breach was detected on March 17th, 2023.
While no corporate or personal data was stolen, members are advised to change their passwords on the site and any other sites utilizing the same credentials.
All ABA members are also advised to watch for spear-phishing emails impersonating the ABA, as threat actors may use them to access further personal information.
