Following AOL's efforts last week to stifle a massive spoofing attack that has been afflicting users, the company acknowledged that a security breach may have affected a "significant number" of email accounts.
AOL said Monday that private information that could have been exposed included users' email addresses, postal addresses, address book contact information, encrypted passwords, and encrypted answers to security questions, along with some employee data.
The company believes hackers used this information to send spoofed emails that appear to come from approximately 2 percent of its email accounts. "Spoofed" emails are messages that have been forged to make them appear as if they have come from legitimate accounts.
AOL last week changed its email authentication system following user complaints of emails that appeared to originate from AOL users that contained links to sites with malware or that peddled diet pills.
The company is investigating the security breach, but believes that so far, no financial information, such as credit and debit card numbers, has been revealed. It also believes that hackers weren't able to break the encryption on the passwords or the answers to security questions. Nevertheless, it's urging all users to reset their passwords and also change their security questions and answers.
"We are working closely with federal authorities to pursue this investigation to its resolution," the company wrote. "Our security team has put enhanced protective measures in place and we urge our users to take proactive steps to help ensure the security of their accounts."