The online portal said that it is investigating a security incident that involved unauthorized access to AOL's network and systems. AOL said in a posting on its website that the info-looters lifted AOL users' email addresses, postal addresses, address book contact information, encrypted passwords and encrypted answers to security questions that it asks when a user resets his or her password, as well as certain employee information.
AOL's investigation began following a significant increase in the amount of spam appearing as "spoofed emails" from AOL Mail addresses. “We believe that spammers have used this contact information to send spoofed emails that appeared to come from roughly 2% of our email accounts,” it said.
Spoofing is a tactic used by spammers to make it appear that the message is from an email user known to the recipient in order to trick the recipient into opening it. These emails do not originate from the sender's email or email service provider - the addresses are just edited to make them appear that way.
Spamming and spoofing aside, the more critical information appears to be safe. “Importantly, we have no indication that the encryption on the passwords or the answers to security questions was broken,” AOL noted. “In addition, at this point in the investigation, there is no indication that this incident resulted in disclosure of users' financial information, including debit and credit cards, which is also fully encrypted.”
Nonetheless, as a precautionary measure, users and employees should reset their passwords used for any AOL service and change their security question and answer.
AOL is notifying potentially affected users, and “is working closely with federal authorities to pursue this investigation to its resolution,” it said. “Our security team has put enhanced protective measures in place and we urge our users to take proactive steps to help ensure the security of their accounts.”
As always, users should not respond or click on any links or attachments in a suspicious email, and when in doubt about the authenticity of a message, they should contact the sender to confirm that he or she actually sent it.
“AOL will never ask you for your password or any other sensitive personal information over email,” the company said. “If you believe you are a victim of spoofing, consider letting your friends know that your emails may have been spoofed and to avoid clicking the links in suspicious emails.”