The American Bar Association (ABA) has suffered a data breach after hackers compromised its network and gained access to older credentials for 1,466,000 members.
The ABA is the largest association of lawyers and legal professionals globally, with 166,000 members as of 2022. The organization provides continuing education and services for lawyers and judges, as well as initiatives to improve the legal system in the USA.
Thursday night, the ABA began notifying members that a hacker was detected on its network on March 17th, 2023, and may have gained access to members’ login credentials for a legacy member system decommissioned in 2018.
“On March 17, 2023, the ABA observed unusual activity on its network. The incident response plan was immediately activated response, and cybersecurity experts were retained to assist with the investigation,” warns a notification email sent to impacted members and seen by BleepingComputer.
“The investigation determined that an unauthorized third party gained access to the ABA network beginning on or about March 6, 2023 and may have acquired certain information.”
“On March 23, 2023, the investigation identified that an unauthorized third party acquired usernames and hashed and salted passwords that you may have used to access online accounts on the old ABA website prior to 2018 or the ABA Career Center since 2018.”
BleepingComputer was told by the ABA that 1,466,000 members were affected by this breach.
While BleepingComputer has learned that this was not a ransomware attack and that no corporate or personal data was stolen, there are some concerns that the threat actors could abuse the credentials.
The American Bar Association says these legacy credentials were hashed and salted, meaning they were converted from plaintext into a more secure format.
“They were instead both hashed and salted, which is a process by which random characters are added to the plain text password, which is then converted on the ABA systems into cybertext,” explains the ABA notification.
However, even with the passwords being hashed and salted, it is still possible for threat actors to dehash the passwords over time.
To make matters worse, the ABA says that “in many instances” the password may have been a default password assigned by the ABA when the account was registered if it was not later changed.