Summary:
“The American Bar Association (ABA) has suffered a data breach after hackers compromised its network and gained access to older credentials for 1,466,000 members. The ABA is the largest association of lawyers and legal professionals globally, with 166,000 members as of 2022. The organization provides continuing education and services for lawyers and judges, as well as initiatives to improve the legal system in the USA” (Bleeping Computer, 2023).

Yesterday, the ABA began notifying members of a cyber incident that occurred on March 17, 2023. In their message to members, the ABA warned that a hacker gained credentials to a member login portal that was decommissioned in 2018. "The investigation determined that an unauthorized third party gained access to the ABA network beginning on or about March 6, 2023 and may have acquired certain information. On March 23, 2023, the investigation identified that an unauthorized third party acquired usernames and hashed and salted passwords that you may have used to access online accounts on the old ABA website prior to 2018 or the ABA Career Center since 2018."

Analyst comments:
The ABA told Bleeping Computer that the breach likely impacts it’s 1,466,000 members. The attack did not result in a ransomware incident, and the ABA says no corporate or personal data was stolen. The main concern is the stolen credentials which could be used by threat actors.

The American Bar Association says these legacy credentials were hashed and salted, meaning they were converted from plaintext into a more secure format. "The passwords were both hashed and salted, which is a process by which random characters are added to the plain text password, which is then converted on the ABA systems into cybertext," explains the ABA notification. While the passwords were hashed and salted, the ABA warns that threat actors can still dehash them given enough time. To make matters worse, the ABA says that "in many instances" the password may have been a default password assigned by the ABA when the account was registered if it was not later changed.

Mitigation:
What should ABA members do?

The concern is that members may have used the same credentials on the new member system as those on the legacy system shut down in 2018. If that is the case, it may be possible for the threat actors to use those credentials to gain access to the current ABA membership portal.

Furthermore, if the same credentials are used at other sites, the threat actors could attempt to gain access to other accounts used by the member. Therefore, the ABA recommends that members change their passwords on the site and any other sites utilizing the same credentials.

All ABA members are advised to also watch for spear-phishing emails impersonating the ABA, as threat actors may use them to access further personal information.

Source:
https://www.bleepingcomputer.com/ne...ociation-data-breach-hits-14-million-members/