AOL has confirmed that the breach of its Mail service is much more extensive than first reported after an ongoing investigation determined that hackers compromised a large number of user accounts and exposed sensitive personal and account information.
“We are writing to notify you that AOL is investigating a security incident that involved unauthorized access to AOL’s network and systems,” the company said in a statement. “AOL is working with best-in-class external forensic experts and federal authorities to investigate this serious criminal activity.”
The company first became aware of the attack after a deluge of complaints by users who reported their accounts were being used to send spam messages to contacts, and in many cases accounts had not actually been breached but were being spoofed by spammers to make it appear that the messages were coming from a specific AOL Mail user.
The company now acknowledges that as many as two percent of AOL Mail accounts have indeed been compromised and the information was being leveraged by the attackers in a massive spam campaign, but they are confident no financial or payment data was exposed.
“We have determined that there was unauthorized access to information regarding a significant number of user accounts,” the company stated. “This information included AOL users’ email addresses, postal addresses, address book contact information, encrypted passwords and encrypted answers to security questions that we ask when a user resets his or her password, as well as certain employee information. We believe that spammers have used this contact information to send spoofed emails that appeared to come from roughly 2% of our email accounts.”
In response to the spoofing, AOL has changed its policy to help other mail providers filter out any messages that are sent using spoofed AOL Mail addresses, and the company said the policy change may negatively impact legitimate senders of email temporarily, so users may need to adjust how they send their email messages so that they comply with the new policy outlined here.
“If you do find email in your Sent folder that you did not send, your account has been compromised (hacked). If you do not find any strange email in your Sent folder, your account has most likely been spoofed,” AOL’s help page on spoofing explains. “If you believe that your account has been compromised, or that your AOL Mail email address has been used to send spoofed messages, please visit the AOL Help site.”
The company recommends users and employees reset their passwords for all AOL services and also to change their security questions and answers.
Read More Here…