AOL asking users to change passwords after discovering breach

AOL asking users to change passwords after discovering breach

Summary: Accessed information included email addresses, encrypted passwords and security questions

TOPICS: Security

AOL is asking potentially millions of its email users to change their passwords and security questions after discovering a cyber attack that potentially comprised the accounts of a small portion of its user base.

The company said it had discovered unauthorized access to its networks and systems and said the information accessed included AOL users' email addresses, postal addresses, address book contact information, encrypted passwords and encrypted answers to security questions used for password resets.

Roughly 2% of AOLs users are affected, the company said. AOL’s Web-based email has lost favor with users over the years. The company does not announce user figures, but declining numbers have been the ongoing trend as Google, Microsoft and Yahoo have risen to the top of the Web-based email heap. 

The company issued a statement Monday via its blog and filed the same information with the Securities and Exchange Commission as is protocol.

The company is advising its users to change their passwords and to change passwords on other accounts if they re-used their AOL credentials there.

AOL said it has no indication that encryption was broken on passwords and security questions. And it said there is no indication of the loss of users' financial information, including debit and credit cards.

The company said the attack was discovered after a flood of complaints about spoofed emails appearing to come from AOL’s end-users. The spoofing was first noticed on April 22, according to AOL. At that time, the company made changes to its DMARC (Domain-based Message Authentication, Reporting and Conformance) Servers so other email providers would know to reject messages with AOL addresses that originated from non-AOL servers.

AOL says it's working with law enforcement and that the investigation is ongoing. The company has not determined the exact time and date the breach occurred, but it is actively emailing affected users.

The user information stored in compromised AOL address books can include: first and last name, email address, phone numbers, home address, employers, spouses and children, birthdays and anniversaries. Users are not required to fill in all those fields.

Topic: Security


John Fontana is a journalist focusing on authentication, identity, privacy and security issues. Currently, he is the Identity Evangelist for strong authentication vendor Yubico, where he also blogs about industry issues and standards work, including the FIDO Alliance.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • What is this AOL?

  • Attention


    Those who use Pentium II Windows 98 pcs with Dial Up who are also using AOL, please change your AOL password.
    Pollo Pazzo
  • All two AOL users please change passwords

    I get a twitch every time I read or hear AOL. Good old dial up was fast stuff back when. 56K modems, dropped connections, super compressed graphics. That special AOL Internet Explorer disc that I think used to come out in a tin if I am not mistaken. Ah, those were the days.
    The only time I see any news about AOL is when they are in trouble, or getting another new CEO.
  • This breach happened several weeks back

    Whoever hacked it, sent out emails in the AOL member's name, to the AOL's contacts. The email said 'Hi' and had a link to some ad. The first such email I got, was from someone I knew well, so I wrote the person back to alert them. The ad I had clicked on though suspicious, and nothing happened. Still, I was on my XP machine, so used Norton GoBack to 'dial back' the time to wipe out all activity prior to that email's arrival. No problems thus far.

    I've received several of those emails since, just delete them unread. Fortunately my email is only on my XP machine. Had the email been on my Win7 machines, I'd have had no way to rollback. Windows File history, its knock off of GoBack.. doesn't work rightly.
  • Ongoing Problem

    When will people wise up and realize that all of your "Free" email providers cost you your privacy and sometimes your bank account. Today, all “Free” email providers, scan, analyze, and categorize your content. It is then sold to third party advertisers for the purpose of target advertising and also given to the NSA! They then blame these "third parties" when they experience a data breach. Secure your Data! Protect your privacy! Americans Right to Privacy offers a secure Swiss email for as low as $3.25 a month.
    At you will remain anonymous as we DO NOT and WILL NOT copy, scan, or sell any of your content. Our email service is 100% privacy guaranteed. Privacy is not only a human right but also required to survive in a competitive business environment. We are very serious about protecting your electronic communications and due to the strict restrictions of the U.S. Patriot Act for law abiding citizens, we cannot
    align ourselves with servers located in the United States. Therefore, our servers are located in Switzerland where strong data privacy laws do not abide by the U.S. Patriot Act
    We offer a professional global email service solution for both personal and business use. PrivacyAbroad email service is free of advertising, SPAM and provides private communication with your emails saved and backed up in Switzerland, renowned for its strong data privacy protection laws. Email comes with 1 GB of expandable storage space.