A major U.S. legal trade association was forced to contact individuals who had accounts on the website that their logins may have been compromised.
The American Bar Association (ABA) reportedly told 1.5 million people about the breach that occurred last month.
In a notice on its website, ABA said it first discovered unusual activity on its network on March 17, but concluded that the threat actor gained unauthorized access earlier, on March 6.
“A March 23, 2023 investigation found usernames, hashed and salted, that may have been used to access the old ABA website prior to 2018 or the ABA Career Center online account after 2018. It turned out that the encrypted password was obtained by an unauthorized third party.”
“In many cases, if the user has not changed that password on the old ABA site, the password may be the default password assigned to the user by ABA. We will notify you with due care.”
Password security details: Over 70% of employees keep their work passwords on their personal devices.
Users who did not update their passwords when ABA changed their website login platform in 2018 are now being asked to do so. Credentials that are reused for other non-ABA accounts can also be exposed to credential theft.
“ABA takes the security of user information seriously and has taken steps to reduce the likelihood of future cyberattacks. This includes keeping unauthorized third parties out of the ABA network and ensuring network security This includes reviewing our configuration to address ever-evolving cyber threats,” the association said.
“Although ABA has not received any reports of misuse of anyone’s information, we have asked those involved to change any passwords that may be the same or similar to the passwords at issue in this incident, and to ensure that any online accounts We recommend that you remain vigilant against attempts to gain unauthorized access.”
Stolen passwords are hashed and salted, but can still be cracked given enough time and inclination.
Editorial image credit: DCStockPhotography / Shutterstock.com
