37 Comments

Summary:

There are multiple reports that old AOL email addresses have been compromised and are sending out spam.

AOL-mail-2

Usually, receiving an email from an AOL email address with a cryptic subject like “Hi” or “Fw: news” wouldn’t be too much of a concern, but you might want to not click on those links: there are multiple reports out Monday that old AOL accounts have been compromised and are sending out phishing spam.

Affected users are airing their complaints on the #aolhacked hashtag on Twitter. One user is complaining that phishing emails were sent to every single one of his 2,200 contacts. Some are simply seeing the phishing emails from others and tweeting about it. There are two users who are complaining that changing passwords and security questions are not stopping the rivers of spam coming from their accounts. Several affected users are longtime AOL subscribers with decades-old accounts.

I’ve received a few of the emails in question, and they generally look like this with a few different permutations:

From:XXXXXXXXXXX@aol.com
Date: Sun, Apr 20, 2014 at 8:25 AM
Subject: How are you?
To:

Hi!  

Have you already seen it?  http://XXXXXX.it/ik/breakingnews.php

 

I’ve reached out to AOL for a statement and will update if they respond. According to AOL’s help document on spoofing, if spam emails are found in the sent folder, that means that the account has been compromised.

In the meantime, the best course of action is to delete suspicious emails and check your old AOL account to make sure a bad actor isn’t sending out spam under your name. The emails aren’t the most sophisticated phishing attempts — there’s no call to action and the destination link does not look like a bank or internet service — but sometimes it’s hard not to click on an email from Grandma with the subject “How are you?”

Update 7PM EDT: AOL’s response is below:

AOL takes the safety and security of consumers very seriously, and we are actively addressing consumer complaints.We are working to resolve the issue of account spoofing to keep users and their respective accounts running smoothly and securely. Users can find the latest updates on our AOL Help site, and should contact us if they believe their account is being spoofed.

Update 5:05PM EDT 4/22/14: A few minutes ago, Aol sent over another statement. Although there is no mention of where the spoofers/spammers got the contacts from, Aol has acknowledged the problem and is taking steps to ameliorate its effects:

AOL Mail is immediately changing its policy to help mail providers reject email messages that are sent using forged AOL Mail addresses. 

This means that Aol has changed its DMARC policy to reject. This tells other mailbox providers to reject Aol email that doesn’t come from an Aol server. It also means that if you use an alternate provider to manage your AOL email address, emails may no longer reach the recipient’s inbox. You can read the entire statement on the Aol corporate blog.

Update 4/28/14: Aol has confirmed the security breach, noting that encrypted passwords and security questions and answers were exposed. More information is in our updated post.

 

 

  1. AOL customer Monday, April 21, 2014

    It’s happening to me, I exported then deleted all of my contacts so the bots can try as much as they like and they won’t get anywhere. I am so angry that this has happened and can only hope my friends and business colleagues won’t click on the link. I received ten emails in my inbox – from myself! These people are SCUM!

    Thank you so much for the post, I’ll refresh the page every few hours and see if you have managed to gather any more info.

    Thanks again.

    1. Unfortunately deleting your contacts won’t help with this attack. AOL’s servers have been compromised and the addresses have been taken from there not from your personal account. Changing your password and/or security question will do nothing either. You’ll notice all the returned mail in your inbox and yet nothing in your outbox because nothing is actually going from your account. They are trying and have been for days apparently, we just have to sit tight until they close the breach.

      1. AOL customer, raging angry now! martin ash Monday, April 21, 2014

        Thanks so much, extended thanks in my other reply to the general post. :)

      2. Unfortunately, even if AOL closes the breach, hackers already have their lists and can keep sending at will, since none of these emails are actually touching AOL’s servers. At this point, the only thing you can do is try and trace the original sending server (SMTP) from the email headers, do a WhoIs lookup on the URL, and try to notify the hosts that their servers are compromised. This problem is not a *LOT* bigger than just AOL, and there’s nothing they can do to stop it.

  2. Same issue. Emails sent looking like they are from my account three different days in a row. I’ve changed my password four times now. No idea how to fix it. Grr.

  3. Happened to me, starting yesterday. So frustrated. Aol won’t do anything but change my password and they will not acknowledge there is a problem. The emails are actually coming from my email as I have drafts and returned mail in my mailbox. I have changed my password 5 times in less than 24 hours and it keeps happening.

    1. Yeah that’s frustrating. I’ve heard from other people too they too have gotten maeler-deamons, but AOL’s customer service continues to insist it’s a spoofing attack.

      1. Okay. So the emails are spoofed. But the question then becomes where did the contacts come from?

      2. It cannot be a spoofing attack! It makes me so mad they are saying this. Like I said I had it in my drafts folder along with returned mail and they are using contacts I sent maybe 1 email to going all the way back to 2009! When I called aol yesterday they are insisting there is no problem. I’m glad they are finally saying something even though still not really owning up to it.

        1. Not to deny your issue, but the ones I’m seeing going out *are* a spoof. There’s still the bigger question of how hackers managed to acquire the contact lists but, at least in my case, I have confirmed that the emails are not actually coming from my account.

          You will get mailer-daemon “returned” emails, even with a spoof attack. If you’ve actually got something in the Drafts folder, that’s a different story. Check your sent folder and see if it’s in there.

          If you have access to any of the emails that actually got sent out (they sent me email on a different account in my case) try checking the message header itself. *How* to do that varies a bit between email services.

          Here is what I’m seeing in the header of the emails I got:

          Received: from 111-248-170-73.dynamic.hinet.net ([111.248.170.73]:61088 helo=SARTAINMUSIC.COM)
          by echo.unisonplatform.com with esmtpa (Exim 4.82)

          So… not actually coming from AOL’s mail servers.

  4. Happening to me too, i thought changing my password last night would help. How can i delete my contacts history so they qont email to them? I’ve been contacted by some asking me WHY! Am I sending those emails. Thanks beforehand

    1. The emails aren’t coming from your actual account. And, unfortunately, deleting your contact list almost certainly won’t do any good at this point, since the hackers already have the list.

      The really, really aggravating truth here is that there is *nothing* we can do directly to stop this. If you have access to the outgoing emails, and know how to get to the actually message headers, you can try and figure out what server originally sent the email and notify then that their server is compromised. The problem is *way* bigger than just AOL’s email servers.

  5. AOL customer, raging angry now! Monday, April 21, 2014

    Sorry, think I pressed the ‘comment’ button twice, my nerves are frazzled! :/

    AOL’s response is possibly the most pathetic I’ve read in a very, very long time.

    Tomorrow, I’ll close down my accounts. I have so many emails so I’m not sure if I can export them as a batch or if it’s even safe to download them to my computer, so many are receipts. If anyone can help me with this I would be so grateful as I have only ever used AOL email online in my browser, never in Thunderbird, etc.

    Thank you, Martin for telling me that it’s the AOL servers that have been compromised, it’s reassuring that they haven’t been in my account but it’s still horrifying, You’re absolutely right, I have none of the spoof emails in my sent box but 44 returned emails in my inbox from companies saying they’ll get back to me, Audible have even opened an account!!!! I have another 14 spam box mailer-daemon replies saying the messages have been refused. Thank goodness, at least some of my contacts won’t get them.

    Given their lacklustre response and that it’s only paying customers that can contact them: I tried for hours to find a UK call centre or email but that’s just not available for those of us with free accounts. I’ve also discovered that I can’t even delete my free account. Who doesn’t let you delete your account???? I’m so appalled and scared, if they can hack their servers then does that mean they can read all of our emails? Given AOL’s useless response I don’t see this getting better anytime soon. Using my contacts is bad and embarrassing enough but getting their sticky little mitts on private info in saved mail is another thing.

    Again, if anyone can help me find a way to batch export my emails, I have other mail accounts they can be sent to, I would be so grateful. Thanks already for your feedback and for keeping such a close eye on this for all of us. Keep up the good work!

    At least we’re not alone in this, we may not have AOL to help us but we have a fantastic site here that’s helping, thank you SO much!

    1. It is extremely embarrassing. This is going to parents of children my kids used to be friends with, teachers, school PTA email addresses, realtors…

  6. AOL customer, raging angry now! Monday, April 21, 2014

    Found this site, hopefully I’m allowed to post an url as it shows you how to batch export into Gmail. I’m not Gmail’s biggest fan, to say the least but it’ll do for now. Although, it’s so late now it’ll have to wait till tomorrow.

    Apologies if I’m breaking rules by posting this, no harm is meant: it’s only http://www.about.com.

    http://email.about.com/od/gmailtips/qt/Import_AOL_Messages_and_Contacts_Into_Gmail.htm

  7. Another angry AOL user… Monday, April 21, 2014

    Yes, they are spoofed, but it’s obvious that someone has totally breached AOL security, as my entire contact list seems to have been downloaded and is being used to send spoofed emails in my name.

    AOL can’t keep this quiet much longer, and their slow, head-in-the sand approach to the problem just ensures that they circle the drain that much faster–and now the garbage disposal is ON.

  8. Good luck getting a hold of aol tech support. I cxld my acct years ago & over the weekend my contacts were bombarded with spam supposedly sent by me. The call center does not want to connect me to tech support as I DO NOT have an aol acct. I can’t get past the road block. I am trying to fix something that’s happening to a deleted acct. suggestions?

    1. Try this number – I was able to reach the customer service people here:
      800 827-6364.
      That’s scary that you cancelled it years ago and you are still getting hacked.

  9. Hi

    I have the same issue – three days in a row I’ve have mail returned from old and random contacts but there’s nothing in my sent box so they’re obviously spoofed.

    My concern is that this is my main email account that I’ve used since 2002 so closing it isn’t really an option – does anyone know of any way to divert emails to another address like you can with phone numbers?

    Thanks

  10. I’m a Gmail user and it is usually excellent at catching spam. Curiously, all these AOL spam emails are going straight to the inbox. Perhaps that’s because all the senders are known addresses with whom I have communicated before.
    Anyway, I have checked my address book and have 14 contacts using AOL addresses. I have been spammed by all 14 of them. Looks bad.

    1. It looks like a TON of people are affected, yet I just read an article, where it says aol claims it’s less than 1% of users being affected. They are kidding themselves if they really think this,

Comments have been disabled for this post