Anyone with an AOL email address was urged to change their password and security questions this week after a cyber attack which compromised a "significant number of user accounts" - quoted by news agency Reuters as around 2% of all AOL accounts. The Reuters report states that the AOL email breach could affect a significant number of AOL's tens of millions of accounts.
The company said that it was working with "best-in-class external forensic experts and federal authorities" to address the email breach, according to Beta News , which has allowed hackers to obtain email addresses, postal addresses, encrypted passwords and answers to security questions used to reset passwords. CBC also reported that user address books may have been exposed.
The breach first came to light after an epidemic of spam promoting diet remedies hit AOL last week, as reported by We Live Security.
In an official blog post, the company said, “AOL's investigation is still underway, however, we have determined that there was unauthorized access to information regarding a significant number of user accounts. This information included AOL users' email addresses, postal addresses, address book contact information, encrypted passwords and encrypted answers to security questions that we ask when a user resets his or her password, as well as certain employee information. We believe that spammers have used this contact information to send spoofed emails that appeared to come from roughly 2% of our email accounts.”
The company said that there was no evidence that the passwords had been decrypted, but in such cases, the gangs involved can often break encryption to reveal plain text passwords, given enough time, and specialized ‘cracking’ software, as seen. This is thought to have occurred in the Adobe breach, where 40 million encrypted emails were stolen, reported by We Live Security here.
AOL said, “AOL's investigation began immediately following a significant increase in the amount of spam appearing as "spoofed emails" from AOL Mail addresses. Spoofing is a tactic used by spammers to make it appear that the message is from an email user known to the recipient in order to trick the recipient into opening it.”
The company said it was addressing the situation “forcefully”, but declined to provide an exact number of affected users. AOL said that all affected users would be notified, and “we strongly encourage our users and employees to reset their passwords used for any AOL service and, when doing so, also to change their security question and answer.”
The company is providing an information page for consumers at faq.aol.com