AOL confirms email breach, tells users to change passwords

The company is investigating a security breach that resulted in spoofed emails that appeared to come from roughly 2 percent of AOL accounts.

Desiree DeNunzio
Desiree DeNunzio Editor
Desiree DeNunzio is the gift guide editor for CNET's Commerce team. When she's not writing and editing, she's either hiking through the redwoods or curled up with a good book and a lazy dog.
Expertise Desiree has been a writer and editor for the past two decades, covering everything from top-selling Amazon deals to apparel, pets and home goods. Credentials Desiree's previous work has appeared in various print and online publications including Search Engine Land, PCWorld, Wired magazine and PBS MediaShift.


Following AOL's efforts last week to stifle a massive spoofing attack that has been afflicting users, the company acknowledged that a security breach may have affected a "significant number" of email accounts.

AOL said Monday that private information that could have been exposed included users' email addresses, postal addresses, address book contact information, encrypted passwords, and encrypted answers to security questions, along with some employee data.

The company believes hackers used this information to send spoofed emails that appear to come from approximately 2 percent of its email accounts. "Spoofed" emails are messages that have been forged to make them appear as if they have come from legitimate accounts.

AOL last week changed its email authentication system following user complaints of emails that appeared to originate from AOL users that contained links to sites with malware or that peddled diet pills.

The company is investigating the security breach, but believes that so far, no financial information, such as credit and debit card numbers, has been revealed. It also believes that hackers weren't able to break the encryption on the passwords or the answers to security questions. Nevertheless, it's urging all users to reset their passwords and also change their security questions and answers.

"We are working closely with federal authorities to pursue this investigation to its resolution," the company wrote. "Our security team has put enhanced protective measures in place and we urge our users to take proactive steps to help ensure the security of their accounts."