Malware
“Massive Cyber Attack on American Bar Association Exposes Personal Information of 1.4 Million Members”
The American Bar Association (ABA) has disclosed a data breach that affected approximately 14 million current and former members. The breach was discovered in March 2021 after an unauthorized party gained access to the ABA’s server containing sensitive information such as names, addresses, email addresses, and birth dates. The ABA is offering affected members one year of free credit monitoring and identity theft protection services.
The network of the American Bar Association (ABA) has been breached, and hackers have gained access to older credentials of 1,466,000 members. The ABA is the largest global association of lawyers and legal professionals, with 166,000 members as of 2022. The association provides continuing education and services for lawyers and judges, as well as initiatives to improve the legal system in the USA. On March 17th, 2023, the ABA detected a hacker on its network and began notifying its members on Thursday night. The hacker may have gained access to members’ login credentials for a legacy member system that was decommissioned in 2018. An unauthorized third party gained access to the ABA network on or about March 6, 2023, and may have acquired certain information.
The ABA has warned its members that usernames and hashed and salted passwords used to access online accounts on the old ABA website prior to 2018 or the ABA Career Center since 2018 may have been acquired by the hacker. The ABA has confirmed that 1,466,000 members have been affected by this breach. Although no corporate or personal data was stolen, there are concerns that the threat actors could abuse the credentials.
The ABA says these legacy credentials were hashed and salted, meaning they were converted from plaintext into a more secure format. However, it is still possible for threat actors to dehash the passwords over time. To make matters worse, the ABA says that “in many instances” the password may have been a default password assigned by the ABA when the account was registered if it was not later changed.
Members may have used the same credentials on the new member system as those on the legacy system shut down in 2018. If that is the case, it may be possible for the threat actors to use those credentials to gain access to the current ABA membership portal. Furthermore, if the same credentials are used at other sites, the threat actors could attempt to gain access to other accounts used by the member.
Therefore, the ABA recommends that members change their passwords on the site and any other sites utilizing the same credentials. All ABA members are advised to also watch for spear-phishing emails impersonating the ABA, as threat actors may use them to access further personal information.