A hacker stole 1.5 million American Bar Association account usernames and passwords in March, the nation’s largest voluntary legal organization told Bloomberg Law.
The security breach of ABA’s network affected account information used to access the association’s pre-2018 website and the career center website, the ABA stated in a late Thursday email to affected account holders. Stolen passwords were encrypted, according to the ABA. A spokesperson confirmed the number of affected accounts on Friday.
The hack comes as several law firms, including Covington & Burling LLP and Proskauer Rose LLP, have made headlines in recent weeks for cyber breaches that exposed sensitive client information. Data breaches can lead to lawsuits claiming negligence, as plaintiffs did in the class action against Cadwalader, Wickersham & Taft LLP. Plaintiffs sued the firm alleging it failed to prevent a hack of its networks and theft of personal data.
The ABA is advising users who didn’t change their credentials during the 2018 transition to a new website log-in platform to update their passwords.
Information in member profiles—which generally can include members’ names, addresses, contacts, bar admissions, education, demographics, and credit card data—wasn’t stolen or accessed, an ABA spokesperson said.
There is “no indication” that the personal information of account holders was misused by the hacker, the ABA said.
“To be clear, the passwords were not exposed in plain text. They were instead both hashed and salted, which is a process by which random characters are added to the plain text password, which is then converted on the ABA systems into cybertext,” Annaliese Fleming, senior associate executive director and general counsel for ABA, wrote in the Thursday notice.
The legal association said it removed the unauthorized actor and is reviewing its network security configurations.
