AOL said it is investigating a large scale breach of AOL Mail in which “a significant number” of accounts were compromised.
User information including encrypted passwords, encrypted answers to security questions, postal addresses, and address book contacts were compromised, the company said in a blog post.
However, AOL said that no users’ financial information has been stolen and there is no indication that the encryption on passwords or answers to security questions was broken.
It remains to be seen if what they really meant to say was that users passwords and questions were hashed rather than encrypted (an important distinction when it comes to securing passwords properly).
As a precautionary measure, AOL advised users of any of its services to change their passwords and security questions.
The company said it is working with an external forensics team and federal investigators to find the source of the “serious criminal activity” behind the compromise, which affected about 2% of AOL Mail accounts.
Some media outlets have estimated that 2% of AOL Mail accounts is equivalent to about 500,000 users.
On 28 April, AOL posted an FAQ on its help page that stated the compromise likely occurred when someone gained access to a portion of the network where user account information was stored.
Our investigation remains ongoing, but we believe that a person gained unauthorized access to the AOL network where some user information is stored.
AOL’s announcement confirming the breach on Monday 28 April came after a week of user complaints about spam being sent to their contacts.
On 22 April, the company’s mail team announced that it was changing its email authentication policy to crack down on the sending of “spoofed” emails that appear to come from AOL addresses but do not come from AOL mail servers.
Spoofing refers to fraudulently altering an email “From” address header to make it appear as though it came from a stolen email address.
According to media reports, the spam messages appearing to come from spoofed AOL email addresses contain links to malicious phishing websites and online markets for diet pills.
Virus Bulletin reported that malicious links in spoofed AOL emails download a Trojan malware when opened on Android devices.
One spam email obtained by GigaOm contained the subject line “How are you?”
In the message body it simply says “Have you already seen it?” followed by a link to the spam website.
What to do if your account was compromised
If you’re an AOL Mail user, visit account.aol.com to change your password and security question immediately.
If you use the same password as your AOL account for other websites, change those passwords as well – and remember, you should use a unique password for each of your online accounts in case one of them is compromised.
Consider using a password manager such as LastPass or 1Password to generate and store complex passwords.
More on password security
For a deeper understanding of password security, listen to this episode of Sophos Techknow – Busting Password Myths.
9 comments on “AOL Mail accounts breached, users advised to change passwords”
Oh oh, again! Luckily I have a unique password for each of my online accounts so I am safe, but without a password manager it will not be possible. I recommend it to everyone to use one.
Does this also apply to talktalk email accounts who use AOL mail?
Hi Mark – you should change your TalkTalk password – AOL recommends it for any of its services including TalkTalk.
If they have my name and home address, they can figure away to steal everything.
The impact of this breach goes beyond just AOL users – notice the point about address books being compromised.
I got one of these spam emails from my father-in-law’s AOL address. Even though the email came from a non-AOL server (aka they didn’t breach his password or log-in to his account), it still means the attackers have all his contact info and can use that for phishing. It also means that now I’ve been indirectly affected by this data breach just for being in someone’s address book.
I would say in that case – rather than 500,000 people being affected – there are likely several million when you consider all the email addresses and potential relationships they can map based on the unencrypted data.
You make some excellent points Jason – a lot of people will see more spam and phishing as a result of this breach.
I hope you told your father-in-law to change his password anyway!
I’m one of the AOL customers affected. Initially the phishing emails were spoofed, but later emails look like they came from my account. The weird part is that the non-spoofed emails were sent after I changed my password and security questions. (I did that as soon as I realized the spoofed email were going to people in my address book.)
I scanned my computer right away and found no viruses. A friend who works in IT security, told me that the messages must have been sent via the AOL website. (I use the AOL software on my computer & almost never sign in at the website, though I do use their Alto mail service.) He looked on my computer and said it was difficult to get a clear idea of what was going on because of the way AOL does things.
I took some consolation from the fact that I learned about the problem when emails were bounced to me after being caught by some recipients’ email software, and the thought that the emails were very obvious scams that won’t take in too many people.
My aol account was hacked today. Emails were sent to every email address I had. I received replies back from several of the emails with a ticket number, even apple computer about my order. I am so concerned about my entire computer now. who is getting into it. can my identily be stolen, how do I protect myself now? I do I tell those people who received emails thinking it was from me? what a mess, another inconvenient, take time for this out of my day scam. I called up AOL and got someone in Romania, no wonder its getting hacked. How do I prevent this and stop i
my account was hacked July 2016 and I have changed passwords and security questions AOL security stated that there was a user on my account that lives in Dublin, Ohio,