The ABA is reporting an attacker gained access to an old website that was in use prior to 2018. The breach appears to have impacted the user ids and passwords to a little over 1.4 million accounts.
The good news is the passwords were hashed and salted, so it will be harder for criminals to take advantage of the compromised credentials. But, given enough time, the criminals may be able de-hash them.
From the ABA notification:
"They were instead both hashed and salted, which is a process by which random characters are added to the plain text password, which is then converted on the ABA systems into cybertext."
Take aways:
Even old data can be dangerous in the wrong hands.
Hopefully, lawyers and judges that have accounts involved in this breach had adequate security training and did not use simple passwords or re-use the same passwords in other places.
Since usernames are often your email address, all involved should be ready for the spear-phishing attacks that are likely to start happening.
For us non-legal professionals, it is probably a good idea to be even more vigilant about communications claiming to be from an attorney.
Definitions
Password hashing - A technique used in computer security to store passwords securely. It involves taking a plain-text password and running it through a cryptographic hash function, which produces a unique string of characters that represents the original password.
Salting - Adding a random string of characters to a password before hashing it. This makes it harder for attackers to use precomputed tables to crack passwords.
Plain text - Refers to passwords that are stored or transmitted in their original, unencrypted / non-hashed form. This means that if someone gains access to the password database or intercepts the transmission, they can easily read and use the password. It is considered a security risk to store passwords in plain text and is not recommended. Instead, passwords should be hashed or encrypted to protect them from unauthorized access.
Spear phishing -A type of phishing that targets a specific individual or organization. It involves sending fraudulent emails or messages that appear to be from a trustworthy source. Unlike traditional phishing, which is sent to a large number of people in the hopes of catching a few victims, spear phishing is highly targeted and personalized to increase the likelihood of success.
Source: BleepingComputer
Would you like a free, no-obligation Cybersecurity Benchmarking of your organization showing where you stand vs. industry-accepted practices? Click here to schedule a time with one of our associates.