AOL breach confirmed, bigger than initially thought

Recent spam emails apparently sent from AOL email addresses and hawking diet products are a direct consequence of a breach of the company’s networks and systems, AOL has confirmed.

“AOL’s investigation began immediately following a significant increase in the amount of spam appearing as “spoofed emails” from AOL Mail addresses,” the AOL Mail Team shared. The company is working both with the federal authorities and external forensic experts to get at the bottom of the matter.

The investigation is still ongoing, but they have discovered that the attackers have accessed information on about 2 percent of user accounts, belonging to an estimated half a million of users.

What information was taken? Users’ email addresses, postal addresses, address book contact information, encrypted passwords and encrypted answers to security questions. Certain employee information was also compromised.

There is also good news: so far, it seems that this encryption protection has not been broken and, also, no financial information provided by the users has been accessed.

AOL has been notifying users of the breach, and is urging them to change their passwords and security question and answer just in case. They are also warning them to be wary of emails claiming to come from AOL and containing links for resetting passwords.

“Large-scale breaches like this usually lead to widespread phishing attacks, which prey on people’s security concerns in an attempt to trick them into revealing more data,” commented Keith Bird, UK managing director of Check Point. “Users should only reset their passwords via the main website, and never from emails, no matter how plausible they appear to be.”

“If you believe you are a victim of spoofing, consider letting your friends know that your emails may have been spoofed and to avoid clicking the links in suspicious emails,” the security team has also added.

In the wake of the aforementioned spam run, the company has also changed their DMARC policy “to tell DMARC-compliant email providers like Gmail, Yahoo! Mail, and others (including AOL Mail itself) to reject mail from AOL addresses that are sent from non-AOL servers.”

“Sending mail on behalf of AOL Mail users from non-AOL servers had been a common and legitimate practice for services like mailing lists and bulk senders. But it also provided the means for spammers to spoof addresses as described above. By switching AOL Mail’s policy to ‘reject,’ we significantly thwart spammers’ ability to spoof AOL addresses,” the company explained in a breach-related FAQ section.

Don't miss