AOL traces mystery spam flood to security breach; passwords and more stolen

E-mail addresses and encrypted passwords compromised for oughly 2 percent of accounts, AOL says.

AOL is asking users to reset their passwords as it investigates a recent flurry of spam e-mails.

According to Reuters, the uptick in AOL spam is related to a security breach that affected roughly 2 percent of users. Hackers made off with e-mail addresses, mailing addresses, encrypted passwords, and encrypted security questions. AOL says it's still investigating the matter in conjunction with federal employees.

So far, there's no evidence that the encryption on passwords and security questions has been broken. There's no sign of financial information being compromised either, the Wall Street Journal reports.

Users began complaining last week of spam e-mails from their AOL accounts. AOL originally suggested that these users were victims of spoofing, in which a spammer mimics a trusted address in the "From" field of an e-mail. In these cases, the message doesn't actually come from the victim's account, and doesn't even originate from the mail provider's servers.

The strange thing about AOL's case is that the spoofed e-mails were going out to contacts in the victims' address books. AOL still hasn't explained exactly how this happened, though it seems likely that the security breach had something to do with it.

In any case, users won't be able to stop the spam by changing their passwords, because the spam isn't actually being sent from their e-mail accounts. But AOL says it it is now telling other DMARC-compliant mail providers, such as Gmail, Yahoo Mail and, to reject AOL e-mails that don't come from AOL servers. This may require some changes by e-mail marketers and mailing lists, but it's a necessary move to stem the tide of spam.

Tags emailAOLspamReutersantispamsecuritywall street journal


Comments are now closed

CSO Corporate Partners
  • f5
  • Webroot
  • Trend Micro
  • NetIQ
rhs_login_lockGet exclusive access to CSO, invitation only events, reports & analysis.
CSO Directory

Cloud Security and Compliance Solutions

Manage and visualize the security and compliance of VMware, physical, and hybrid-cloud infrastructure from the RSA Archer eGRC Platform.

Security Awareness Tip
Security ABC Guides

Warning: Tips for secure mobile holiday shopping

I’m dating myself, but I remember when holiday shopping involved pouring through ads in the Sunday paper, placing actual phone calls from tethered land lines to research product stock and availability, and actually driving places to pick things up. Now, holiday shoppers can do all of that from a smartphone or tablet in a few seconds, but there are some security pitfalls to be aware of.