AOL on Monday disclosed that a “significant number” of user accounts had been hacked, confirming rumors swirling around the issue for a week and denying its week-ago statement that users’ email accounts were being spoofed.
The hackers stole users’ email and postal addresses, address book contacts, encrypted passwords and encrypted answers to security questions, and “certain employee information.”
However, the data encryption has not yet been broken, and there is no indication so far that users’ financial information, which also is encrypted, has been disclosed, the company claimed.
“It is possible that attackers gained access to systems containing subscribers’ personal data but not financial data, [which] is generally kept on separate financial systems in large enterprises,” Joshua Goldfarb, chief security officer at nPulse Technologies, told TechNewsWorld.
Encryption on stolen data can be broken offline, although some encryption is easier to break than others, Goldfarb said. “I suspect we will hear more on this in the coming days and weeks.”
What AOL Has Disclosed
AOL is working “with best-in-class external forensic experts and federal authorities” to investigate the breach, which it calls a “serious criminal activity.”
The company claims to have launched the probe immediately following a “significant increase” in the amount of spam appearing as spoofed emails.
About 2 percent of AOL’s subscribers have been hacked, it said.
That means more than 600,000 accounts have been hit, if Quantcast’s estimate that AOL has more than 32 million subscribers is correct.
Reacting to the Breach
AOL advises users and employees to change their passwords and the security questions and answers for any of its services that they use.
It has “put enhanced protective measures” in place and is notifying potentially affected users.
AOL also put out the standard advice: Do not click on any links within suspicious emails or open any files attached to them; contact the sender of any email that looks suspicious to verity they did send it; never provide personal or financial information in an email to strangers; users who suspect their email accounts have been hacked should notify friends and warn them not to click on links or open attachments.
The company also has updated its DMARC policy and published advice on its help pages on what users should do if they suspect they’ve been hacked.
The update does prevent further spamming from those compromised accounts.
“I’ve seen compromised email accounts sign up to various Web forums with the intent to spam,” Kenneth Bechtel, malware research analyst at Tenable Network Security, told TechNewsWorld. “It’s very difficult for a forum owner to reject new members if the email [address] is legit, and then the spammer posts links to porn … or compromised websites.”
Breach? What Breach?
“At AOL, we care deeply about the safety and security of your online experience,” the company said Monday.
That claim might ring somewhat hollow for those who were flooded by spam from their AOL user buddies that contained links for diet pills and malware for Android, among other things, and were told by the company last week that their emails were being spoofed.
More Trouble in the Offing
AOL’s DMARC update doesn’t stop hackers from selling the information stolen from AOL users.
“Identity theft and user accounts are very lucrative trade items on the black market,” Bechtel pointed out.
Further, “I find it very hard to believe that financial information wasn’t compromised,” John Pirc, chief technology officer at NSS Labs, told TechNewsWorld.
“If [the hackers] have access to reset password information, they can have full account access,” Pirc continued. “It’s still early in the disclosing period, so we’ll just have to wait and see.”
While upgrading systems will decrease the risk of a breach, it’s not likely to prevent one, Pirc said.
Companies should focus on cyber-resiliency, Pirc stated. “The adversary is persistently targeting corporations, and all organizations need to be hyper-aware of their risk profile and have a strong process in place for continuous monitoring.”