AOL Investigating Breach, Urges Users to Change Passwords

AOL transparency report

AOL said its networks were breached and customer information was stolen to send spoofed spam messages. Users are being told to change their passwords.

AOL reported today that it has been breached and urges users of its web-based email and other online services to change their passwords.

AOL’s investigation of a breach of its internal network and systems is under way with the help of federal authorities and a forensics firm, the company said.

Last week, AOL acknowledged a spike in customer complaints over spam messages coming from what turned out to be spoofed AOL accounts.

AOL was not specific about the number of accounts that were compromised, only calling it a “significant” number. Hackers accessed not only users’ personal information, including email addresses, and postal addresses, but also encrypted passwords and encrypted security questions and answers.

“We believe that spammers have used this contact information to send spoofed emails that appeared to come from roughly 2% of our email accounts,” AOL said in a statement.

The encrypted information, AOL said, has likely not been compromised yet it still strongly recommended that users change their passwords.

“AOL is notifying potentially affected users and is committed to ensuring the protection of its users, employees and partners and addressing the situation as quickly and forcefully as we can,” AOL said.

Suspicions about the compromise were raised last week when chatter on Twitter grew about the number of spam messages coming from AOL email addresses.

Brian Alvey, a developer in the content management space, wrote last week that he surmised AOL had been exploited.

“When you load [AOL’s] webmail interface your browser makes several calls into AOL for data. One is to login. Another is to load all the messages in your inbox. Another is to load your address book so you can a) see who your friends are and b) easily send them email, auto-completing addresses as you type them,” Alvey said. “Each of those data calls should have security checks.”

Alvey surmises that there may not have been a security check like this in place, something that could allow an attacker to bypass security and secure access to users’ address books without being forced to guess passwords or go through the trouble of hacking into the affected accounts.

“The ongoing investigation of this serious criminal activity is our top priority. We are working closely with federal authorities to pursue this investigation to its resolution,” AOL said. “Our security team has put enhanced protective measures in place and we urge our users to take proactive steps to help ensure the security of their accounts.”

AOL was not specific about what those measures would be.

Suggested articles