The American Bar Association (ABA) has revealed that an unauthorized third party gained access to its computer network starting from March 6, 2023. The incident led to the unauthorized acquisition of usernames and passwords of ABA members. In a letter to affected members, ABA’s Senior Associate Executive Director and General Counsel, Annaliese Fleming, confirmed the incident and informed members of the steps taken by the association to address the situation.
An investigation into the incident, which took place on March 23, 2023, revealed that the unauthorized third party had obtained usernames and “hashed” and “salted” passwords used to access online accounts on an older version of the ABA website prior to 2018 and/or on the ABA Career Center since 2018.
Hashing is a process that converts a password into a string of letters and/or numbers using an encryption algorithm. This means that even if a website is hacked, cybercriminals cannot gain access to the full password, but only to the encrypted “hash” created by the password.
The National Security Agency (NSA) confirms that a random “salt” is often added to a password before hashing, making it more difficult for cybercriminals to use precomputed hashes to reverse the password. In the case of the ABA breach, plain text passwords were not exposed.
Take control of your legal job search and sign up for LawCrossing today.
The ABA reassured its members that passwords were not exposed in plain text. Instead, they were both hashed and salted, making it more difficult for cybercriminals to use them. Moreover, in many instances, the password may have been the default password assigned to a member by the ABA if they never changed their password on the old ABA site.
In its email, the ABA explained that it was notifying all affected individuals out of an abundance of caution. The ABA is taking the security of its members seriously and has taken measures to reduce the likelihood of future cyber-attacks. This includes removing the unauthorized third party from the ABA network and reviewing network security configurations to address continually evolving cyber threats.
Although the ABA has not received any reports of the misuse of anyone’s information, it urges members to change any passwords that may be the same as or similar to the password at issue in this incident. Members are also advised to remain vigilant against unauthorized access to their online accounts.
The ABA data breach underscores the importance of strong password practices and maintaining an up-to-date and secure IT infrastructure. Cyber threats continue evolving, and organizations must continuously review and improve their security measures to protect themselves and their members from attacks.
The ABA is taking the necessary steps to address the data breach and prevent any future occurrences. Members can take steps to protect themselves by changing their passwords and remaining vigilant against any unauthorized attempts to access their accounts.