Last week I described how many AOL accounts appeared to be spamming out links to diet spam and Android malware, and speculated that the service could have suffered a serious breach of security.
At the time I wrote:
have the address books of AOL users or AOL’s mail logs somehow fallen into the hands of malicious third parties?
In a statement posted yesterday, AOL confirmed my fears:
AOL's investigation is still underway, however, we have determined that there was unauthorized access to information regarding a significant number of user accounts. This information included AOL users' email addresses, postal addresses, address book contact information, encrypted passwords and encrypted answers to security questions that we ask when a user resets his or her password, as well as certain employee information. We believe that spammers have used this contact information to send spoofed emails that appeared to come from roughly 2% of our email accounts.
AOL is attempting to calm user fears that unencrypted passwords may now be in the hands of hackers, but at the same time is sensibly suggesting that users change their passwords:
Importantly, we have no indication that the encryption on the passwords or the answers to security questions was broken. In addition, at this point in the investigation, there is no indication that this incident resulted in disclosure of users' financial information, including debit and credit cards, which is also fully encrypted.
Although there is no indication that the encryption on the passwords or answers to security questions was broken, as a precautionary measure, we nevertheless strongly encourage our users and employees to reset their passwords used for any AOL service and, when doing so, also to change their security question and answer.
Of course, this isn't necessarily just a problem for your AOL account. If you were using the same password for any other online account (which is, as we have discussed many times before, very bad practice) then you need to change those passwords too.
And it's not just passwords that you have to worry about. AOL says that address books have also been accessed, which means that online criminals now know who you are friends with, and how to contact them - making it easy for them to create convincing scam emails or attempt to send out phishing campaigns.
In more bad news, if the hackers manage to crack the encryption they might be able to determine your "secret answers" to security questions as well. As Martijn Grooten points out, it's going to be really awkward asking your mother to change her maiden name again...
Be on your guard.