Security breach at AOL. Users told to change passwords

aol-fishy-170Last week I described how many AOL accounts appeared to be spamming out links to diet spam and Android malware, and speculated that the service could have suffered a serious breach of security.

At the time I wrote:

have the address books of AOL users or AOL’s mail logs somehow fallen into the hands of malicious third parties?

In a statement posted yesterday, AOL confirmed my fears:

Sign up to our free newsletter.
Security news, advice, and tips.

AOL’s investigation is still underway, however, we have determined that there was unauthorized access to information regarding a significant number of user accounts. This information included AOL users’ email addresses, postal addresses, address book contact information, encrypted passwords and encrypted answers to security questions that we ask when a user resets his or her password, as well as certain employee information. We believe that spammers have used this contact information to send spoofed emails that appeared to come from roughly 2% of our email accounts.

AOL is attempting to calm user fears that unencrypted passwords may now be in the hands of hackers, but at the same time is sensibly suggesting that users change their passwords:

Importantly, we have no indication that the encryption on the passwords or the answers to security questions was broken. In addition, at this point in the investigation, there is no indication that this incident resulted in disclosure of users’ financial information, including debit and credit cards, which is also fully encrypted.

Although there is no indication that the encryption on the passwords or answers to security questions was broken, as a precautionary measure, we nevertheless strongly encourage our users and employees to reset their passwords used for any AOL service and, when doing so, also to change their security question and answer.

Of course, this isn’t necessarily just a problem for your AOL account. If you were using the same password for any other online account (which is, as we have discussed many times before, very bad practice) then you need to change those passwords too.

And it’s not just passwords that you have to worry about. AOL says that address books have also been accessed, which means that online criminals now know who you are friends with, and how to contact them – making it easy for them to create convincing scam emails or attempt to send out phishing campaigns.

In more bad news, if the hackers manage to crack the encryption they might be able to determine your “secret answers” to security questions as well. As Martijn Grooten points out, it’s going to be really awkward asking your mother to change her maiden name again…

Be on your guard.

Further reading:


Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

2 comments on “Security breach at AOL. Users told to change passwords”

  1. Coyote

    I've written about this before elsewhere but I'll just summarise it here. This little statement of their's fully shows how naive – and indeed – companies can be:
    "Although there is no indication that the encryption on the passwords or answers to security questions was broken,"

    Security questions are broken by design (so I guess the quote is a matter of perspective), especially when they don't allow you to specify your own question. Even then, though, it is almost assuredly going to be a question that is personal and therefore the only gains are (and don't even get me started on any possible questions that have only specific answers… I hope… really hope… nothing like that does exist but it wouldn't surprise me either):
    1. The company doesn't have to deal with helping users with lost passwords (instead they get to deal with compromised accounts. Great compromise… I'm sure).
    2. The user can be mindless about this and practically give away the way the answer and well, this is quite awesome for the attackers, isn't it?

    Great gains. Like I was writing… broken by design.

  2. Anon

    This is why you should treat a secret answer like a password and make it randomly generated characters – not the real answer – stored in a password management app instead of an easily guessable / socially engineer-able answer!

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.