The American Bar Association (ABA), a preeminent association of legal practitioners and professionals on a global scale, with a membership base of 166,000 as of 2022, recently fell victim to a data breach wherein cybercriminals penetrated its network and gained unauthorized access to antiquated credentials belonging to 1,466,000 members.
Following a suspected breach that occurred on March 17th, 2023, the ABA initiated its incident response plan promptly, and cybersecurity experts were swiftly brought on board to assist with investigations. As confirmed by an email notification to affected members, it was discovered that the unauthorized access was initiated on or about March 6, 2023. It was subsequently disclosed that usernames and passwords hashed and salted using a secure format were obtained, potentially exposing members' online accounts registered with the ABA Career Center since 2018 or the old ABA website before 2018.
Although no personal or corporate data was exfiltrated during the breach, apprehension remains regarding the threat actors' ability to misuse the compromised credentials over time. Notably, the ABA has admitted that several passwords may have been set as default when accounts were opened, remaining unaltered thereafter. Despite the password encryption measures undertaken, the possibility of passwords being dehashed remains, causing further unease among the affected members.