AOL is asking potentially millions of its email users to change their passwords and security questions after discovering a cyber attack that potentially comprised the accounts of a small portion of its user base.
The company said it had discovered unauthorized access to its networks and systems and said the information accessed included AOL users' email addresses, postal addresses, address book contact information, encrypted passwords and encrypted answers to security questions used for password resets.
Roughly 2% of AOLs users are affected, the company said. AOL’s Web-based email has lost favor with users over the years. The company does not announce user figures, but declining numbers have been the ongoing trend as Google, Microsoft and Yahoo have risen to the top of the Web-based email heap.
The company issued a statement Monday via its blog and filed the same information with the Securities and Exchange Commission as is protocol.
The company is advising its users to change their passwords and to change passwords on other accounts if they re-used their AOL credentials there.
AOL said it has no indication that encryption was broken on passwords and security questions. And it said there is no indication of the loss of users' financial information, including debit and credit cards.
The company said the attack was discovered after a flood of complaints about spoofed emails appearing to come from AOL’s end-users. The spoofing was first noticed on April 22, according to AOL. At that time, the company made changes to its DMARC (Domain-based Message Authentication, Reporting and Conformance) Servers so other email providers would know to reject messages with AOL addresses that originated from non-AOL servers.
AOL says it's working with law enforcement and that the investigation is ongoing. The company has not determined the exact time and date the breach occurred, but it is actively emailing affected users.
The user information stored in compromised AOL address books can include: first and last name, email address, phone numbers, home address, employers, spouses and children, birthdays and anniversaries. Users are not required to fill in all those fields.