Info Security Report Says American Bar Association Breach Hits 1.5 Million Members

Big numbers!

Although we have already reported this I thought it worthwhile updating the latest information


A leading legal industry body in the US has been forced to contact individuals who had accounts on its website that their logins may have been compromised.

The American Bar Association (ABA) reportedly told 1.5 million individuals about the breach, which occurred last month.

The ABA said in a notice on its website that it first discovered unusual activity on its network on March 17, but concluded that a threat actor had gained unauthorized access even earlier than that, on March 6.

“On March 23 2023, the investigation identified that an unauthorized third party acquired usernames and hashed and salted passwords that you may have used to access online accounts on the old ABA website prior to 2018 or the ABA Career Center since 2018,” the notice continued.

“In many instances, the password may have been the default password assigned to the user by the ABA, if the user never changed that password on the old ABA site. The ABA is notifying all affected individuals in an abundance of caution.”

Users who didn’t update their passwords in 2018 when the ABA changed its website login platform are being asked to do so now – as well as any credentials reused on other non-ABA accounts that could now be exposed to credential stuffing.

“The ABA takes the security of users’ information seriously and has taken measures to reduce the likelihood of a future cyber-attack, including removing the unauthorized third party from the ABA network and reviewing network security configurations to address continually evolving cyber threats,” the association said.

“Although the ABA has received no reports of misuse of anyone’s information, we encourage concerned individuals to change any passwords which may be same as or similar to the password at issue in this incident and remain vigilant against any unauthorized attempts to access online accounts.”

Although the stolen passwords are hashed and salted, they could still be cracked given enough time and/or inclination.