Users of America Online (AOL) Mail were advised this week to
change their passwords soonest, after a security breach hit the email
service.
In a blog post, the AOL Security Team
said it is investigating the "security incident" that it said involved
"unauthorized access" to its systems.
"We are
writing to notify you that AOL is investigating a security incident that
involved unauthorized access to AOL's network and systems. AOL is
working with best-in-class external forensic experts and federal
authorities to investigate this serious criminal activity," it said.
It said it noticed a "significant" increase in the amount of spam mail
spoofing AOL Mail addresses, to trick recipients into opening the spam
messages.
AOL added its investigation so far
indicates an "unauthorized access to information regarding a significant
number of user accounts."
"This information
included AOL users' email addresses, postal addresses, address book
contact information, encrypted passwords and encrypted answers to
security questions that we ask when a user resets his or her password,
as well as certain employee information. We believe that spammers have
used this contact information to send spoofed emails that appeared to
come from roughly 2% of our email accounts," it said.
However, it said there is no sign the attackers broke the encryption on the passwords or the answers to security questions.
There is also no sign so far the attack had led to the disclosure of
users' financial information, including debit and credit cards, which it
said is also fully encrypted.
Still, it urged users to change passwords as a precaution.
"Although there is no indication that the encryption on the passwords
or answers to security questions was broken, as a precautionary measure,
we nevertheless strongly encourage our users and employees to reset
their passwords used for any AOL service and, when doing so, also to
change their security question and answer," it said.
In the meantime, AOL said its security team has enhanced protective measures and is notifying potentially affected users.
Protection
Meanwhile, AOL urged users to take precautions against cyber risks, including:
- Not responding to suspicious email, or clicking on any links or attachments in the email.
- Contacting the sender to confirm that he or she actually sent an email, when in doubt about the authenticity of an email.
- Not providing personal or financial information in an email to someone you do not know.
