In Internet years, AOL and its webmail counterpart AOL Mail are beyond ancient at this point. A relic of electronic mail history, the majority of users have long since jumped ship for Gmail or Yahoo.

Yet those who still have accounts with AOL were no doubt unhappy when they discovered last weekend that a slew of old AOL Mail accounts had been hacked to send spam to their friends.

While it’s unclear exactly how many users’ accounts have been compromised at this point, multiple users have complained on Twitter that their accounts  – some which naturally have not been used for years – were compromised and used to send spam to other users.

AOL acknowledged the hack late yesterday and pointed out that it’s likely affected users weren’t hacked but spoofed, and that it’s doing everything in its power to correct the issue.

“AOL takes the safety and security of consumers very seriously, and we are actively addressing consumer complaints,” AOL said in a statement Tuesday, “We are working to resolve the issue of account spoofing to keep users and their respective accounts running smoothly and securely.”

As AOL notes, spoofing attacks are basically spam emails that appear to come from the victim but are technically coming from the spammers’ email account and are sent via the spammers’ server.

While spoofing attacks are nothing new this particular campaign appears to have really started picking up steam over the weekend. The hashtag #AOLhacked on Twitter has seen users bemoan the service’s security and others cracking their fair share of jokes since Sunday.

Since there’s a difference between being hacked and being spoofed, there’s nothing users can really do prevent the spammer from continuing to spoof their email accounts. Users can change their passwords and delete their contacts but it doesn’t really matter – the spammer already has a copy of the victim’s address book.

The company’s mail Twitter page, @AOLMailHelp, said it plain and simple yesterday: “Once your account if spoofed, there is nothing else that can be done.”

Some experts, like web designer and programmer Brian Alvey, however are speculating that AOL Mail may have suffered an address book webmail exploit.

“When you load [Yahoo’s] webmail interface your browser makes several calls into AOL for data. One is to login. Another is to load all the messages in your inbox. Another is to load your address book so you can a) see who your friends are and b) easily send them email, auto-completing addresses as you type them,” Alvey wrote in a blog entry last night.

“Each of those data calls should have security checks.”

Alvey surmises that there may not have been a security check like this in place, something that could allow an attacker to bypass security and secure access to users’ address books without being forced to guess passwords or go through the trouble of hacking into the affected accounts.

spam_aol

In the meantime, even though it may not help, it may not hurt for anyone with an old AOL Mail account to change their password and to steer clear from any suspicious looking emails, especially those that direct you to a murky looking link, like the one above.

Categories: Web Security

Comments (21)

    • Lou
      2

      I can’t get into my AOL account and none of my security information will allow me in either. I can’t change my password. There is more to this story. Am I the only one? Is there a solution?

      Reply
  1. Garnet
    3

    Yeah! There isn’t anything WE can do about it.
    This problem is currently happening to me and my account.
    I have just changed my PW but the “bad genie” is already out of the bottle.
    Everyone I know would have to change their E-mail address and let me know about it or a third party software would have to “phish” it out or the jerk running this problem gets tired of it and shuts it down.
    And wouldn’t I have to have been “hacked” originally before the “spoofing” began?

    Reply
  2. Adam
    4

    Happened to me to. Glad to have come across this to explain (sort of) what happened and that I’m not alone. That does nothing tho to mitigate how pissed I am tho. I have jumped ship to gmail which friends have been chiding me to do for years but did not because I had too much connected to AOL. I am severing the ties. Later AOL.

    Reply
  3. Victim
    6

    I was a victim. Contrary to AOL’s assertions, this was hacking, not spoofing. The hacker went into my address lists of multiple screen-names and sent spam those addresses. AOL’s “spoofing” explanation is a cover-up, a self-serving denial, an avoidance of the truth of a deep breach of AOL security.
    Get real AOL.

    Reply
  4. Monica
    8

    I cannot even get into my email account on AOL and when I elect “forgot password” the virus tells me it’s a connectivity problem. However, I am obviously on the internet. BS! Trying to find a resume that I had on an AOL folder….

    Reply
  5. longtimeaol
    9

    The aol problem is more than spoofing. Spam messages include contacts that I deleted several years ago in addition to my current contacts list.

    Reply
  6. craig
    10

    It would seem that at least one “hack” must have occurred in order for the bad guys to get a copy of one’s contact list, either from you or from AOL. Probably the only thing to do at this point is to send an email to all on your contact list to put your full email address in their Spam filter. Or you could just have them put the Subject in the filter: “Fw: News” and “How are you?”, but the bad guy could change that. Remember that any emails coming to your AOL will come to you just fine. It’s just emails from the bad guy going to your friends that get zonked.

    Reply
  7. Croakers
    11

    Whaaa? AOL is still around?

    Why are still paying for email?

    If you want to pay to avoid being data mined (aka Google), then Hushmail is good. Run both for a time until you get everyone you want on your new email address. Dump the spammers.

    Least Hushmail will only give your identity away if your doing crime, not for anything else.

    Reply
  8. Anonymous
    12

    It’s true – AOL are not being honest – it was definitely a hack because they got all of our address book. It’s true that they were also spoofed (i.e. AOL wasn’t used to actually send the spam….

    Reply
  9. scott
    13

    So…AOL responded 5 days later – and here is what they tell me:

    Hi there,

    I’m sorry to hear you’re having trouble with your account. It sounds like your account is being spoofed. That’s when a spammer sends out messages with your email address in the From: field. This makes it seem like the spam email is coming from you, even though it isn’t coming from your account or from AOL servers. It’s actually being sent from the spammer’s email account. For more information about email spoofing, please visit this help article:

    http://aol.it/1haJen3

    We have taken a significant step in preventing email spoofing by updating our DMARC policy to tell DMARC-compliant email providers like Gmail, Yahoo! Mail,

    Outlook.com and others (including AOL Mail itself) to reject mail from AOL addresses that is sent from non-AOL servers. You can read more about this move here: http://aol.it/1ighJ1p

    AOL takes the security of consumers very seriously and we are committed to continually improving our security protocols in an effort to prevent situations like this from occurring. We apologize for any inconvenience this may have caused.

    Please reply to this email if you have further questions.

    Best Regards,

    Phoebe

    AOL Email Support Team

    Reply
  10. Annabel
    15

    I also can’t get into email after entering new password. Furthermore, I cannot get into my aol account to close it. Tried phoning them – message said there would be a 15 minute wait. Was prepared to wait but after a few minutes they hung up.

    Reply
  11. Heather
    16

    I have lost access to my aol account and cannot change my password. I got a message after the last email I received was at 10.30 on the 6/5/14 password incorrect. Tried the password on the aol website and it’s wrong so it has definitely been changed I suspect my back up email has been changed to because when I try and get in to change the password it says the backup email is incorrect. Now it has told me to contact aol which I did and they said they couldn’t answer the call and to ring back after 2 hours. I have been with aol over 15 years and don’t take kindly to be treated as though I don’t know what I am doing. I am not sure what to do now.

    Reply
  12. Tanya Hanson
    17

    I was hacked over night. My contacts are gone. How do I get them back? How did somebody get to them? I have great computer security. Are my folders in danger?

    Reply
  13. Patricia Kurmin
    18

    I am considering closing my aol account because in the past two months I have received several calls threatening to call the police or to close my account. A month age I reported this to my local police who took the compliant and agreed this was a scam. It is a security breach on Aol’s part. Is there anything you can do about this matter ?

    Reply
  14. Carol Cantell Moorby
    19

    I have not changed my password yet I keep getting a message which says it is not the right password. This is the second time this has happened….I can’t get my email Or send any email.I don’t want to change my password…..When I call to talk to an operator they don’t understand me and I can’t understand them either. They just hang up on me which is rude and wrong. You need to help me fix my account and explain why this keeps happening,

    Reply
  15. Carol Cantell Moorby
    20

    Just to add to my previous comment…..I have been with you for years and may have to drop if you can’t get the problem resolved. Especially the rude operator who hung up on me.

    Reply
  16. ena king
    21

    I was hacked on 6 july when i wasn’t even home on the computer, now even though i have changed the password, it wont let me into my e-mail account, what happens next.

    Reply

Leave A Comment

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>