"American Bar Association Breach Hits 1.5 Million Members"

A leading legal industry body in the US has recently been forced to contact individuals with accounts on its website to notify them that their logins may have been compromised.  The American Bar Association (ABA) reportedly told 1.5 million individuals about the breach, which occurred last month.  The ABA said in a notice on its website that it first discovered unusual activity on its network on March 17 but concluded that a threat actor had gained unauthorized access even earlier than that, on March 6.  The ABA noted that on March 23, 2023, the investigation identified that an unauthorized third party acquired usernames and hashed and salted passwords that users may have used to access online accounts on the old ABA website before 2018 or the ABA Career Center since 2018.  In many instances, the password may have been the default password assigned to the user by the ABA if the user never changed that password on the old ABA site.  The ABA is notifying all affected individuals in an abundance of caution.  The ABA stated that users who didn’t update their passwords in 2018 when the ABA changed its website login platform are being asked to do so now, as well as any credentials reused on other non-ABA accounts that could now be exposed to credential stuffing.  Although the stolen passwords are hashed and salted, they could still be cracked given enough time and/or inclination.

Infosecurity reports: "American Bar Association Breach Hits 1.5 Million Members"