Blog Post

AOL acknowledges security breach; contacts, addresses, encrypted passwords exposed

Stay on Top of Enterprise Technology Trends

Get updates impacting your industry from our GigaOm Research Community
Join the Community!

Following last week’s reports of a significant uptick in spoofed spam from Aol email addresses, Aol (s aol) admitted in a blog post Monday that it suffered a significant security breach. According to the Aol mail team, someone gained unauthorized access to information from 2 percent of Aol email accounts (emphasis added):

AOL’s investigation is still underway, however, we have determined that there was unauthorized access to information regarding a significant number of user accounts. This information included AOL users’ email addresses, postal addresses, address book contact information, encrypted passwords and encrypted answers to security questions that we ask when a user resets his or her password, as well as certain employee information.

As noted by Brian Alvey, although the spam emails coming from Aol email addresses were spoofed, the bigger question is where the spammers got the contact details. Several commenters noted that it seemed like entire private address books had been stolen. With this statement from Aol, it is now confirmed that that was the case.

Even worse, it appears like the spammers were also able to come away with encrypted passwords and security questions as well.

Gigaom first wrote about the security breach last Monday, although the Rapid City Journal noted it on April 20 and the Aberdeen (South Dakota) News published a column addressing the issue on April 18. This means 10 days elapsed between the first press report and Aol’s admission of the full extent of the breach.

Although Aol said there is no indication that the encryption on the passwords or security questions and answers has been broken, it is only a matter of time before someone cracks the hashes. Depending on the sophistication of Aol’s encryption, it could take as little as a few days or it could take years. Last March, Nate Anderson wrote on Ars Technica about how he was able to crack nearly half of a list of unsalted MD5-hashed passwords in an afternoon using a laptop and readily available tools.

If you are affected, you should change your passwords on other sites, especially if they were emailed in plain text or you use the same password for other services besides Aol mail. You should also change your security questions and passphrases, keeping in mind you do not need to answer a security question literally as long as you can remember what you typed.

Aol’s full statement is here and it has also appended a note to the front page of Aol Help.


One Response to “AOL acknowledges security breach; contacts, addresses, encrypted passwords exposed”

  1. This does not surprise me in the least. Did you know that Google, Yahoo, Hotmail, AOL and other service providers are scanning, analyzing and categorizing your emails every day? As a result, these numerous providers are pleased to give you a “free”
    email service because they generate large revenues for themselves through the selling of your personal information to third parties! That’s right third parties!
    100% Privacy guaranteed. At you will remain anonymous as we DO NOT and WILL NOT copy, scan, or sell any of your content.
    Our email service is 100% privacy guaranteed. Privacy is not only a human right but also required to survive in a competitive business environment. We are very serious about protecting your electronic communications and due to the strict restrictions of the U.S. Patriot Act for law abiding citizens, we cannot align ourselves with servers located in the United States. Therefore, our servers are located in Switzerland where strong data privacy laws do not abide by the U.S. Patriot Act.