The American Bar Association (ABA) has disclosed a data breach affecting 1.5 million member accounts, providing a notice with details about the incident and recommendations for users. Detected in March, the breach involved usernames and encrypted passwords associated with accounts on the ABA's pre-2018 website and the career center website. While no personal or corporate information was accessed, the ABA is taking the security of user information seriously and implementing measures to prevent a recurrence.

The ABA has issued a notice explaining the incident and offering guidance to affected users. The association observed unusual network activity on March 17, 2023, and determined that an unauthorized third party had gained access to the network around March 6, 2023. The investigation identified that the attacker had acquired usernames and hashed and salted passwords used to access online accounts on the old ABA website prior to 2018 or the ABA Career Center since 2018.

The stolen passwords were not exposed in plain text but were hashed and salted, a process that adds random characters to the plain text password before converting it into cybertext on ABA systems. In many instances, the passwords may have been default passwords assigned by the ABA, which users may not have changed later. The ABA is notifying affected individuals out of caution.

Although the ABA changed its website log-in platform in 2018 and asked users to create new credentials, users who employed the same credentials to access the new ABA website are advised to update their passwords. The association is working to reduce the likelihood of future cyber-attacks by removing the unauthorized third party from the network and reviewing network security configurations to address evolving cyber threats.

The ABA encourages users to change any passwords similar to those involved in the breach and remain vigilant against unauthorized attempts to access their online accounts.