Last week I described how many AOL accounts appeared to be spamming out links to diet spam and Android malware, and speculated that the service could have suffered a serious breach of security.
At the time I wrote:
have the address books of AOL users or AOL’s mail logs somehow fallen into the hands of malicious third parties?
In a statement posted yesterday, AOL confirmed my fears:
AOL’s investigation is still underway, however, we have determined that there was unauthorized access to information regarding a significant number of user accounts. This information included AOL users’ email addresses, postal addresses, address book contact information, encrypted passwords and encrypted answers to security questions that we ask when a user resets his or her password, as well as certain employee information. We believe that spammers have used this contact information to send spoofed emails that appeared to come from roughly 2% of our email accounts.
AOL is attempting to calm user fears that unencrypted passwords may now be in the hands of hackers, but at the same time is sensibly suggesting that users change their passwords:
Importantly, we have no indication that the encryption on the passwords or the answers to security questions was broken. In addition, at this point in the investigation, there is no indication that this incident resulted in disclosure of users’ financial information, including debit and credit cards, which is also fully encrypted.
Although there is no indication that the encryption on the passwords or answers to security questions was broken, as a precautionary measure, we nevertheless strongly encourage our users and employees to reset their passwords used for any AOL service and, when doing so, also to change their security question and answer.
Of course, this isn’t necessarily just a problem for your AOL account. If you were using the same password for any other online account (which is, as we have discussed many times before, very bad practice) then you need to change those passwords too.
And it’s not just passwords that you have to worry about. AOL says that address books have also been accessed, which means that online criminals now know who you are friends with, and how to contact them – making it easy for them to create convincing scam emails or attempt to send out phishing campaigns.
In more bad news, if the hackers manage to crack the encryption they might be able to determine your “secret answers” to security questions as well. As Martijn Grooten points out, it’s going to be really awkward asking your mother to change her maiden name again…
Be on your guard.
Found this article interesting? Follow Graham Cluley on Twitter or Mastodon to read more of the exclusive content we post.
2 comments on “Security breach at AOL. Users told to change passwords”
I've written about this before elsewhere but I'll just summarise it here. This little statement of their's fully shows how naive – and indeed – companies can be:
"Although there is no indication that the encryption on the passwords or answers to security questions was broken,"
Security questions are broken by design (so I guess the quote is a matter of perspective), especially when they don't allow you to specify your own question. Even then, though, it is almost assuredly going to be a question that is personal and therefore the only gains are (and don't even get me started on any possible questions that have only specific answers… I hope… really hope… nothing like that does exist but it wouldn't surprise me either):
1. The company doesn't have to deal with helping users with lost passwords (instead they get to deal with compromised accounts. Great compromise… I'm sure).
2. The user can be mindless about this and practically give away the way the answer and well, this is quite awesome for the attackers, isn't it?
Great gains. Like I was writing… broken by design.
This is why you should treat a secret answer like a password and make it randomly generated characters – not the real answer – stored in a password management app instead of an easily guessable / socially engineer-able answer!