The American Bar Association (ABA) suffered a massive data breach that leaked the user credentials of more than a million members. ABA notified affected individuals that it detected unauthorized third-party access on March 17, 2023.
The legal professional body initiated an incident response plan and engaged external cybersecurity experts to assist with the investigation. On March 23, 2023, the investigation determined that the threat actor gained access to a decommissioned server around March 06, 2023, and obtained certain client information.
American Bar Association data breach leaked user credentials
The American Bar Association disclosed that unauthorized access exposed “usernames and hashed and salted passwords” used on the “old ABA website prior to 2018 or the ABA Career Center since 2018.”
“They were instead both hashed and salted, which is a process by which random characters are added to the plain text password, which is then converted on the ABA systems into cybertext,” the data breach notification stated.
ABA noted that many leaked user credentials were default passwords assigned during account creation.
Additionally, although the threat actor accessed a decommissioned server, many users possibly reused the same credentials on the new ABA website, putting their new accounts at risk.
While ABA was still trying to assess the risk, there was no indication that the threat actor stole additional personal information or had misused the leaked data. There is also no indication that the data breach originated from a ransomware attack.
Meanwhile, the legal professional body has taken additional security measures, including removing the attacker from the systems and reviewing its network configurations to prevent a similar incident.
Additionally, ABA notified approximately 1.4 million potential data breach victims, urging them to change their login information, including on other sites reusing the leaked user credentials. They should also enable multi-factor authentication where possible and stay vigilant for attempted phishing attacks by threat actors impersonating ABA staff.
“Now those usernames and salted password hashes are out in the wild, there is no time limit for the threat actor to be concerned about—therefore it’s important for ABA end-users to change their passwords as soon as possible, wherever they’re in use,” said Darren James, Senior Product Manager at SpecOps Software.
While the leaked user credentials are hashed and salted, hackers could still crack the passwords if a weak hashing algorithm such as MD5 or SHA-1 was used. Similarly, obtaining plaintext passwords is more likely if a static salt was used or stored alongside the leaked user credentials.
According to Chris Hauk, Consumer Privacy Advocate at Pixel Privacy, the leaked user credentials were more likely hashed using a weak algorithm, making them vulnerable to cracking.
“While the American Bar Association says the passwords stolen were “hashed and salted,” since the passwords in question may have been in use from before 2018, the algorithm’s protection against decrypting may be an earlier, less secure method, leaving the passwords open to brute force attacks.”
Legal sector has suffered multiple cyber-attacks and data breaches
The legal sector has become the target of cyber attacks targeting confidential information held by law firms and other legal professional bodies. The industry has also witnessed multiple data breaches from human error.
On January 10, 2023, the U.S. Securities and Exchange Commission sued Covington & Burling after hackers breached the law firm, gaining access to 300 clients’ confidential information.
Cadwalader, Wickersham & Taft is also facing a class action lawsuit in Manhattan, New York, stemming from a November 2022 data breach that exposed the personal information of 93,000 people.
In March 2023, law firm Heidell, Pittoni, Murphy & Bach agreed to settle a 2021 data breach investigation by paying $200,000 to the state of New York. And in early 2022, the State Bar of California disclosed a data breach that leaked 260,000 attorney discipline cases.