Usually, receiving an email from an AOL email address with a cryptic subject like “Hi” or “Fw: news” wouldn’t be too much of a concern, but you might want to not click on those links: there are multiple reports out Monday that old AOL accounts have been compromised and are sending out phishing spam.
Affected users are airing their complaints on the #aolhacked hashtag on Twitter. One user is complaining that phishing emails were sent to every single one of his 2,200 contacts. Some are simply seeing the phishing emails from others and tweeting about it. There are two users who are complaining that changing passwords and security questions are not stopping the rivers of spam coming from their accounts. Several affected users are longtime AOL subscribers with decades-old accounts.
I’ve received a few of the emails in question, and they generally look like this with a few different permutations:
Date: Sun, Apr 20, 2014 at 8:25 AM
Subject: How are you?
Have you already seen it? http://XXXXXX.it/ik/breakingnews.php
I’ve reached out to AOL for a statement and will update if they respond. According to AOL’s help document on spoofing, if spam emails are found in the sent folder, that means that the account has been compromised.
In the meantime, the best course of action is to delete suspicious emails and check your old AOL account to make sure a bad actor isn’t sending out spam under your name. The emails aren’t the most sophisticated phishing attempts — there’s no call to action and the destination link does not look like a bank or internet service — but sometimes it’s hard not to click on an email from Grandma with the subject “How are you?”
Update 7PM EDT: AOL’s response is below:
AOL takes the safety and security of consumers very seriously, and we are actively addressing consumer complaints.We are working to resolve the issue of account spoofing to keep users and their respective accounts running smoothly and securely. Users can find the latest updates on our AOL Help site, and should contact us if they believe their account is being spoofed.
Update 5:05PM EDT 4/22/14: A few minutes ago, Aol sent over another statement. Although there is no mention of where the spoofers/spammers got the contacts from, Aol has acknowledged the problem and is taking steps to ameliorate its effects:
AOL Mail is immediately changing its policy to help mail providers reject email messages that are sent using forged AOL Mail addresses.
This means that Aol has changed its DMARC policy to reject. This tells other mailbox providers to reject Aol email that doesn’t come from an Aol server. It also means that if you use an alternate provider to manage your AOL email address, emails may no longer reach the recipient’s inbox. You can read the entire statement on the Aol corporate blog.
Update 4/28/14: Aol has confirmed the security breach, noting that encrypted passwords and security questions and answers were exposed. More information is in our updated post.