The American Bar Association (ABA) has announced a data breach that exposed the identities, hashed and salted passwords, and email addresses of over a million members.
On March 17, 2023, it found illegal third-party access and launched an incident response strategy, enlisting the help of external cybersecurity specialists to investigate. The investigation, which was finished on March 23, 2023, found that the threat actor had gained access to a decommissioned server around March 06, 2023, and collected specific client information. There was no evidence that the threat actor took any further personal information or misappropriated the disclosed data.
Despite the fact that the user credentials were hashed and salted, many users may have reused them on the new ABA website, putting their new accounts at risk. The ABA has recommended impacted customers to update their login information, including on other sites where the compromised user credentials are being used, and to enable multi-factor authentication where available.
In addition, to prevent future instances, the ABA has implemented additional security measures, such as removing the attacker from the systems and examining its network configurations. However, security experts have warned that if a weak hashing algorithm such as MD5 or SHA-1 was used, the leaked user credentials could still be cracked.
The sources for this piece include an article in CPOMAGAZINE.