Los Angeles Times
POSTED: 07:06 a.m. HST, Apr 28, 2014
LAST UPDATED: 12:24 p.m. HST, Apr 28, 2014
AOL Inc. has confirmed what many suspected: The company suffered a major security breach.
Hackers were able to steal the email addresses, postal addresses, address books, encrypted passwords and the encrypted answers to security questions of "a significant number of user accounts," the New York-based company said Monday.
"The ongoing investigation of this serious criminal activity is our top priority," AOL said in a note. "We are working closely with federal authorities to pursue this investigation to its resolution. Our security team has put enhanced protective measures in place, and we urge our users to take proactive steps to help ensure the security of their accounts."
AOL said it began investigating the matter after it saw a significant increase in the amount of spam email being sent from accounts that were set up to look like AOL Mail addresses. This is a tactic known as "spoofing."
Spoofing is "used by spammers to make it appear that the message is from an email user known to the recipient in order to trick the recipient into opening it," AOL said. "These emails do not originate from the sender's email or email service provider -- the addresses are just edited to make them appear that way."
The company said it appears spammers are using the stolen contact information to send spoof messages from email addresses mimicking 2 percent of AOL's accounts.
The rise in spoof AOL spam email occurred last week, leading many experts to believe that the company had been hacked. John Levine, an expert in email infrastructure, said AOL's announcement Monday comes as no surprise.
"It's been painfully obvious that the crooks managed to steal the email addresses and the address books since I saw spam coming from an AOL address to recipients that were in that person's address book," said Levine, who co-wrote "The Internet for Dummies."
Levine said it is hard to gauge how significant of a breach AOL suffered because the company did not say how many users were affected, but it is clear that AOL must improve its cybersecurity.
"It's their job to keep their system secure. We all know it's hard, but it's a modern online service. It's a key part of what they do," he said. "It's incumbent on them to step up and deal with the costs."
AOL suggests that all its users and employees change their passwords and their security questions and answers to protect themselves from hackers.