Following last week’s reports of a significant uptick in spoofed spam from Aol email addresses, Aol admitted in a blog post Monday that it suffered a significant security breach. According to the Aol mail team, someone gained unauthorized access to information from 2 percent of Aol email accounts (emphasis added):
AOL’s investigation is still underway, however, we have determined that there was unauthorized access to information regarding a significant number of user accounts. This information included AOL users’ email addresses, postal addresses, address book contact information, encrypted passwords and encrypted answers to security questions that we ask when a user resets his or her password, as well as certain employee information.
As noted by Brian Alvey, although the spam emails coming from Aol email addresses were spoofed, the bigger question is where the spammers got the contact details. Several commenters noted that it seemed like entire private address books had been stolen. With this statement from Aol, it is now confirmed that that was the case.
Even worse, it appears like the spammers were also able to come away with encrypted passwords and security questions as well.
Gigaom first wrote about the security breach last Monday, although the Rapid City Journal noted it on April 20 and the Aberdeen (South Dakota) News published a column addressing the issue on April 18. This means 10 days elapsed between the first press report and Aol’s admission of the full extent of the breach.
Although Aol said there is no indication that the encryption on the passwords or security questions and answers has been broken, it is only a matter of time before someone cracks the hashes. Depending on the sophistication of Aol’s encryption, it could take as little as a few days or it could take years. Last March, Nate Anderson wrote on Ars Technica about how he was able to crack nearly half of a list of unsalted MD5-hashed passwords in an afternoon using a laptop and readily available tools.
If you are affected, you should change your passwords on other sites, especially if they were emailed in plain text or you use the same password for other services besides Aol mail. You should also change your security questions and passphrases, keeping in mind you do not need to answer a security question literally as long as you can remember what you typed.