Pierluigi Paganini April 21, 2023

The American Bar Association (ABA) disclosed a data breach, threat actors gained access to older credentials for 1,466,000 members.

The American Bar Association (ABA) is a voluntary bar association of lawyers and law students; it is not specific to any jurisdiction in the United States. The ABA has 166,000 members as of 2022.

The attackers may have gained access to the members’ credentials for a legacy member system that was decommissioned in 2018.

The security breach was detected on March 17, 2003 and according to the company the intrusion begun on or about March 6, 2023. The organization on Thursday began notifying members.

“On March 17, 2023, the ABA observed unusual activity on its network. The incident response plan was immediately activated response, and cybersecurity experts were retained to assist with the investigation,” reads the data breach notification email sent to impacted members, as reported by BleepingComputer.

“The investigation determined that an unauthorized third party gained access to the ABA network beginning on or about March 6, 2023 and may have acquired certain information.”

The investigation launched into the incident revealed that that an unauthorized third party obtained usernames and hashed and salted passwords for members’ online accounts on the ABA website prior to 2018 or the ABA Career Center since 2018.

According to BleepingComputer, 1,466,000 members were impacted by this breach.

The organization did not provide details about the attack.

It it important to highlight that even with the passwords being hashed and salted, threat actors can obtain the plain text the passwords, especially for weak passwords.

The bad news is that many members used a default password assigned by the platform and never changed it over the time.

Members are recommended to change their passwords on the new ABA portal and all online services that share the same credentials.

Please vote for Security Affairs (https://securityaffairs.com/) as the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS
Vote for me in the sections:

• The Teacher – Most Educational Blog
• The Entertainer – Most Entertaining Blog
• The Tech Whizz – Best Technical Blog
• Best Social Media Account to Follow (@securityaffairs)

Please nominate Security Affairs as your favorite blog.

Nominate here: https://docs.google.com/forms/d/e/1FAIpQLSfaFMkrMlrLhOBsRPKdv56Y4HgC88Bcji4V7OCxCm_OmyPoLw/viewform

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, American Bar Association (ABA))