American Bar Association network compromised, member data leaked to third party

Listen to this article

By Steve Schuster
[email protected]

An unauthorized third party gained access to the American Bar Association (ABA) computer network beginning on or about March 6, obtaining usernames and passwords of members, according to an ABA letter sent to impacted members on Thursday night and signed by Annaliese Fleming, senior associate executive director and general counsel for the ABA.

On March 23, an investigation identified that an unauthorized third party acquired both usernames and “hashed” and “salted” passwords that were utilized to access online accounts on an older version of the ABA website prior to 2018 and/or on the ABA Career Center since 2018, according to the ABA.

Generally speaking, hashing turns a password into a string of letters and/or numbers, using an encryption algorithm. If a website is hacked, cybercriminals don’t get access to the full password. Instead, they just get access to the encrypted “hash” created by the password.

However, according to the National Security Agency, approximately four years ago, cyber adversaries obtained “hashed password values” and other sensitive information from network infrastructure configuration files. Once the hashes were obtained, the adversaries were able to compromise network devices.

According to NSA, a random “salt” is often added to a password prior to hashing, making it more difficult for cybercriminals to use precomputed hashes to reverse the password.

“If the salted hash of a strong password is captured by a malicious actor, that hash should be of little use since the actor could not recover the actual password,” NSA said.

In the case of the ABA breach plain text was therefore not exposed, ABA officials say.

“To be clear, the passwords were not exposed in plain text. They were instead both hashed and salted, which is a process by which random characters are added to the plain text password, which is then converted on the ABA systems into cybertext. In addition, in many instances, the password may have been the default password assigned to you by the ABA, if you never changed that password on the old ABA site. The ABA is notifying all affected individuals in an abundance of caution,” the ABA said in the email.

The ABA says it takes the security of members seriously and have taken measures to reduce the likelihood of a future cyber-attack, including removing the unauthorized third party from the ABA network and reviewing network security configurations to address continually evolving cyber threats, the ABA said.

According to the email, although the ABA has not received any reports of misuse of anyone’s information, members are encouraged to change any passwords which may be the same as or similar to the password at issue in this incident and remain vigilant against any unauthorized attempts to access online accounts. In some states, applicable law may require the ABA to provide additional information about identity theft, which is provided here.

Members who have questions can call 1-888-411-8698, Monday through Friday from 8 a.m. – 8 p.m.

NSA recommends use of “strong and unique” passwords along with multi-factor authentication whenever possible, and “privilege levels for least privilege.”