Security breach at AOL. Users told to change passwords

aol-fishy-170Last week I described how many AOL accounts appeared to be spamming out links to diet spam and Android malware, and speculated that the service could have suffered a serious breach of security.

At the time I wrote:

have the address books of AOL users or AOL’s mail logs somehow fallen into the hands of malicious third parties?

In a statement posted yesterday, AOL confirmed my fears:

AOL's investigation is still underway, however, we have determined that there was unauthorized access to information regarding a significant number of user accounts. This information included AOL users' email addresses, postal addresses, address book contact information, encrypted passwords and encrypted answers to security questions that we ask when a user resets his or her password, as well as certain employee information. We believe that spammers have used this contact information to send spoofed emails that appeared to come from roughly 2% of our email accounts.

AOL is attempting to calm user fears that unencrypted passwords may now be in the hands of hackers, but at the same time is sensibly suggesting that users change their passwords:

Importantly, we have no indication that the encryption on the passwords or the answers to security questions was broken. In addition, at this point in the investigation, there is no indication that this incident resulted in disclosure of users' financial information, including debit and credit cards, which is also fully encrypted.

Although there is no indication that the encryption on the passwords or answers to security questions was broken, as a precautionary measure, we nevertheless strongly encourage our users and employees to reset their passwords used for any AOL service and, when doing so, also to change their security question and answer.

Of course, this isn't necessarily just a problem for your AOL account. If you were using the same password for any other online account (which is, as we have discussed many times before, very bad practice) then you need to change those passwords too.

And it's not just passwords that you have to worry about. AOL says that address books have also been accessed, which means that online criminals now know who you are friends with, and how to contact them - making it easy for them to create convincing scam emails or attempt to send out phishing campaigns.

In more bad news, if the hackers manage to crack the encryption they might be able to determine your "secret answers" to security questions as well. As Martijn Grooten points out, it's going to be really awkward asking your mother to change her maiden name again...

Be on your guard.

Further reading:

Tags: , , , ,

Smashing Security podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episode:

, , , ,

2 Responses

  1. Coyote

    April 29, 2014 at 4:55 pm #

    I've written about this before elsewhere but I'll just summarise it here. This little statement of their's fully shows how naive – and indeed – companies can be:
    "Although there is no indication that the encryption on the passwords or answers to security questions was broken,"

    Security questions are broken by design (so I guess the quote is a matter of perspective), especially when they don't allow you to specify your own question. Even then, though, it is almost assuredly going to be a question that is personal and therefore the only gains are (and don't even get me started on any possible questions that have only specific answers… I hope… really hope… nothing like that does exist but it wouldn't surprise me either):
    1. The company doesn't have to deal with helping users with lost passwords (instead they get to deal with compromised accounts. Great compromise… I'm sure).
    2. The user can be mindless about this and practically give away the way the answer and well, this is quite awesome for the attackers, isn't it?

    Great gains. Like I was writing… broken by design.

  2. Anon

    April 29, 2014 at 7:36 pm #

    This is why you should treat a secret answer like a password and make it randomly generated characters – not the real answer – stored in a password management app instead of an easily guessable / socially engineer-able answer!

Leave a Reply