AOL Email Hacked by Spoofers to Send Spam

A slew of old AOL email accounts were hacked over the weekend to send spam to other users.

In Internet years, AOL and its webmail counterpart AOL Mail are beyond ancient at this point. A relic of electronic mail history, the majority of users have long since jumped ship for Gmail or Yahoo.

Yet those who still have accounts with AOL were no doubt unhappy when they discovered last weekend that a slew of old AOL Mail accounts had been hacked to send spam to their friends.

While it’s unclear exactly how many users’ accounts have been compromised at this point, multiple users have complained on Twitter that their accounts  – some which naturally have not been used for years – were compromised and used to send spam to other users.

AOL acknowledged the hack late yesterday and pointed out that it’s likely affected users weren’t hacked but spoofed, and that it’s doing everything in its power to correct the issue.

“AOL takes the safety and security of consumers very seriously, and we are actively addressing consumer complaints,” AOL said in a statement Tuesday, “We are working to resolve the issue of account spoofing to keep users and their respective accounts running smoothly and securely.”

As AOL notes, spoofing attacks are basically spam emails that appear to come from the victim but are technically coming from the spammers’ email account and are sent via the spammers’ server.

While spoofing attacks are nothing new this particular campaign appears to have really started picking up steam over the weekend. The hashtag #AOLhacked on Twitter has seen users bemoan the service’s security and others cracking their fair share of jokes since Sunday.

Since there’s a difference between being hacked and being spoofed, there’s nothing users can really do prevent the spammer from continuing to spoof their email accounts. Users can change their passwords and delete their contacts but it doesn’t really matter – the spammer already has a copy of the victim’s address book.

The company’s mail Twitter page, @AOLMailHelp, said it plain and simple yesterday: “Once your account if spoofed, there is nothing else that can be done.”

Some experts, like web designer and programmer Brian Alvey, however are speculating that AOL Mail may have suffered an address book webmail exploit.

“When you load [Yahoo’s] webmail interface your browser makes several calls into AOL for data. One is to login. Another is to load all the messages in your inbox. Another is to load your address book so you can a) see who your friends are and b) easily send them email, auto-completing addresses as you type them,” Alvey wrote in a blog entry last night.

“Each of those data calls should have security checks.”

Alvey surmises that there may not have been a security check like this in place, something that could allow an attacker to bypass security and secure access to users’ address books without being forced to guess passwords or go through the trouble of hacking into the affected accounts.


In the meantime, even though it may not help, it may not hurt for anyone with an old AOL Mail account to change their password and to steer clear from any suspicious looking emails, especially those that direct you to a murky looking link, like the one above.

Suggested articles


  • scott on

    so it sounds like even if I deleted my AOL account - I would still have issues?
    • Lou on

      I can't get into my AOL account and none of my security information will allow me in either. I can't change my password. There is more to this story. Am I the only one? Is there a solution?
  • Garnet on

    Yeah! There isn't anything WE can do about it. This problem is currently happening to me and my account. I have just changed my PW but the "bad genie" is already out of the bottle. Everyone I know would have to change their E-mail address and let me know about it or a third party software would have to "phish" it out or the jerk running this problem gets tired of it and shuts it down. And wouldn't I have to have been "hacked" originally before the "spoofing" began?
  • Adam on

    Happened to me to. Glad to have come across this to explain (sort of) what happened and that I'm not alone. That does nothing tho to mitigate how pissed I am tho. I have jumped ship to gmail which friends have been chiding me to do for years but did not because I had too much connected to AOL. I am severing the ties. Later AOL.
  • Ylime on

    How does loading Yahoo's mail interface make calls to AOL?
  • Victim on

    I was a victim. Contrary to AOL's assertions, this was hacking, not spoofing. The hacker went into my address lists of multiple screen-names and sent spam those addresses. AOL's "spoofing" explanation is a cover-up, a self-serving denial, an avoidance of the truth of a deep breach of AOL security. Get real AOL.
  • Christine on

    Shame on AOL!!
  • Monica on

    I cannot even get into my email account on AOL and when I elect "forgot password" the virus tells me it's a connectivity problem. However, I am obviously on the internet. BS! Trying to find a resume that I had on an AOL folder....
  • longtimeaol on

    The aol problem is more than spoofing. Spam messages include contacts that I deleted several years ago in addition to my current contacts list.
  • craig on

    It would seem that at least one "hack" must have occurred in order for the bad guys to get a copy of one's contact list, either from you or from AOL. Probably the only thing to do at this point is to send an email to all on your contact list to put your full email address in their Spam filter. Or you could just have them put the Subject in the filter: "Fw: News" and "How are you?", but the bad guy could change that. Remember that any emails coming to your AOL will come to you just fine. It's just emails from the bad guy going to your friends that get zonked.
  • Croakers on

    Whaaa? AOL is still around? Why are still paying for email? If you want to pay to avoid being data mined (aka Google), then Hushmail is good. Run both for a time until you get everyone you want on your new email address. Dump the spammers. Least Hushmail will only give your identity away if your doing crime, not for anything else.
  • Anonymous on

    It's true - AOL are not being honest - it was definitely a hack because they got all of our address book. It's true that they were also spoofed (i.e. AOL wasn't used to actually send the spam....
  • scott on

    So...AOL responded 5 days later - and here is what they tell me: Hi there, I'm sorry to hear you're having trouble with your account. It sounds like your account is being spoofed. That's when a spammer sends out messages with your email address in the From: field. This makes it seem like the spam email is coming from you, even though it isn't coming from your account or from AOL servers. It's actually being sent from the spammer's email account. For more information about email spoofing, please visit this help article: We have taken a significant step in preventing email spoofing by updating our DMARC policy to tell DMARC-compliant email providers like Gmail, Yahoo! Mail, and others (including AOL Mail itself) to reject mail from AOL addresses that is sent from non-AOL servers. You can read more about this move here: AOL takes the security of consumers very seriously and we are committed to continually improving our security protocols in an effort to prevent situations like this from occurring. We apologize for any inconvenience this may have caused. Please reply to this email if you have further questions. Best Regards, Phoebe AOL Email Support Team
  • Dan on

    I changed my password like I was told to do but cannot access my emails. WHY
  • Annabel on

    I also can't get into email after entering new password. Furthermore, I cannot get into my aol account to close it. Tried phoning them - message said there would be a 15 minute wait. Was prepared to wait but after a few minutes they hung up.
  • Heather on

    I have lost access to my aol account and cannot change my password. I got a message after the last email I received was at 10.30 on the 6/5/14 password incorrect. Tried the password on the aol website and it's wrong so it has definitely been changed I suspect my back up email has been changed to because when I try and get in to change the password it says the backup email is incorrect. Now it has told me to contact aol which I did and they said they couldn't answer the call and to ring back after 2 hours. I have been with aol over 15 years and don't take kindly to be treated as though I don't know what I am doing. I am not sure what to do now.
  • Tanya Hanson on

    I was hacked over night. My contacts are gone. How do I get them back? How did somebody get to them? I have great computer security. Are my folders in danger?
  • Patricia Kurmin on

    I am considering closing my aol account because in the past two months I have received several calls threatening to call the police or to close my account. A month age I reported this to my local police who took the compliant and agreed this was a scam. It is a security breach on Aol's part. Is there anything you can do about this matter ?
  • Carol Cantell Moorby on

    I have not changed my password yet I keep getting a message which says it is not the right password. This is the second time this has happened....I can't get my email Or send any email.I don't want to change my password.....When I call to talk to an operator they don't understand me and I can't understand them either. They just hang up on me which is rude and wrong. You need to help me fix my account and explain why this keeps happening,
  • Carol Cantell Moorby on

    Just to add to my previous comment.....I have been with you for years and may have to drop if you can't get the problem resolved. Especially the rude operator who hung up on me.
  • ena king on

    I was hacked on 6 july when i wasn't even home on the computer, now even though i have changed the password, it wont let me into my e-mail account, what happens next.

    This has happened to one of my accounts 3 times since April, despite immediate and elaborate password and security question and answer changes... but, guess what? I deleted all my contacts last time and today when my account was "spoofed" [hacked] the only email sent was to my own screenname. It's tedious to remember or otherwise keep track of contacts, but if you delete them, at least the spam will not go out to your co-workers, boss, craigslist contacts or whomever... I would highly suggest deleting your entire contact list from ALL your AOL usernames before cancelling your account, just in case.
  • GZ on


Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.