Cyberattack on American Bar Association sees 1.5m member accounts hacked

ABA alerts members to theft of usernames and coded passwords after March incident

A cyberattack on the American Bar Association’s (ABA’s) network saw the usernames and coded passwords of around 1.5 million accounts breached in March. 

An unauthorised third party gained access to the ABA’s computer network beginning on or around 6 March 2023, according to an email sent to impacted members on Thursday night by Annaliese Fleming Sr, associate executive director and general counsel for the ABA. 

A spokesperson told GLP that no financial or private data was breached. 

The ABA said it noticed unusual activity on its network on 17 March and brought in cybersecurity experts to assist with an investigation, which identified that the third party had acquired usernames and passwords that members may have used to access online accounts on the old ABA website prior to 2018 or the ABA Career Center since 2018. 

‘To be clear, the passwords were not exposed in plain text,’ Fleming wrote in the email. ‘They were instead both hashed and salted, which is a process by which random characters are added to the plain text password, which is then converted on the ABA systems into cybertext. In addition, in many instances, the password may have been the default password assigned to you by the ABA, if you never changed that password on the old ABA site. The ABA is notifying all affected individuals in an abundance of caution.’

Apologising to its affected members, the ABA said in the email that it took the security of their information ‘very seriously’ and had taken measures to reduce the likelihood of a future attack, including by removing the unauthorised third party from its network and reviewing network security configurations to address evolving cyber threats. 

According to the email, the ABA has had no reports that affected members’ information has been misused. However, it encouraged its members to change any passwords that may be the same or similar to those that were compromised. It also advised them to remain vigilant against any unauthorised attempts to access online accounts.

The email also advised: ‘If you would like to continue to use the ABA Career Center, you should consider changing your password in an abundance of caution.’

Email your news and story ideas to: [email protected]