AOL's investigation began immediately following a significant increase in the amount of spam appearing as "spoofed emails" from AOL Mail addresses. Spoofing is a tactic used by spammers to make it appear that the message is from an email user known to the recipient in order to trick the recipient into opening it. These emails do not originate from the sender's email or email service provider - the addresses are just edited to make them appear that way.
AOL's investigation is still underway, however, we have determined that there was unauthorized access to information regarding a significant number of user accounts. This information included AOL users' email addresses, postal addresses, address book contact information, encrypted passwords and encrypted answers to security questions that we ask when a user resets his or her password, as well as certain employee information. We believe that spammers have used this contact information to send spoofed emails that appeared to come from roughly 2% of our email accounts.
Importantly, we have no indication that the encryption on the passwords or the answers to security questions was broken. In addition, at this point in the investigation, there is no indication that this incident resulted in disclosure of users' financial information, including debit and credit cards, which is also fully encrypted.
Although there is no indication that the encryption on the passwords or answers to security questions was broken, as a precautionary measure, we nevertheless strongly encourage our users and employees to reset their passwords used for any AOL service and, when doing so, also to change their security question and answer.
The ongoing investigation of this serious criminal activity is our top priority. We are working closely with federal authorities to pursue this investigation to its resolution. Our security team has put enhanced protective measures in place and we urge our users to take proactive steps to help ensure the security of their accounts.
AOL is notifying potentially affected users and is committed to ensuring the protection of its users, employees and partners and addressing the situation as quickly and forcefully as we can.
In addition, there are steps you can take to protect yourself from cyber risks. They include:
- If you receive a suspicious email, do not respond or click on any links or attachments in the email.
- When in doubt about the authenticity of an email you have received, contact the sender to confirm that he or she actually sent it.
- Never provide personal or financial information in an email to someone you do not know. AOL will never ask you for your password or any other sensitive personal information over email.
- If you believe you are a victim of spoofing, consider letting your friends know that your emails may have been spoofed and to avoid clicking the links in suspicious emails.
For more information, please visit faq.aol.com
-AOL Security Team