AOL volunteer list hacked

A database with account information about America Online community leaders is breached and the data is circulated via email, NEWS.COM learns.

Jim Hu Staff Writer, CNET News.com
Jim Hu
covers home broadband services and the Net's portal giants.
Jim Hu
4 min read
A database containing sensitive account information about America Online community leaders was hacked and the data circulated via email, CNET NEWS.COM has learned.

Sent in the form of an Excel file attachment, the list contains the screen names, true names, and account numbers of more than 1,300 AOL community leaders. Community leaders are AOL members who volunteer their time as guides and chat room monitors in exchange for free membership.

The online service confirmed today that the list was obtained See related story: 
AOL security lapse opens accounts when a hacker broke into the account of an AOL employee who oversees community leaders. Although AOL maintains that its employee databases are secure from external hacks, the perpetrator apparently was able to sift through the employee's 400 email files and found the attached Excel document. The hacker then mass-emailed the list.

The security breach follows a scathing report by the Federal Trade Commission over the online industry's lack of protection of consumer privacy on the Internet. AOL chairman Steve Case has been a vocal proponent for industry self-regulation and has proposed the formation of a Net alliance to work through privacy concerns.

The community leader See first person: 
How I got hacked on AOL hack is also the latest in a number of instances where AOL member accounts have been hacked. The account of alternative rock star Trent Reznor was compromised this month, and Reznor's own investigations led to the detainment of the perpetrator.

In addition, earlier this year, AOL came under fire after an employee revealed to a Navy investigator the identity of a member who listed himself as "gay" in his user profile.

"The good news is that these volunteers' accounts are not in jeopardy because of this file, but it's obviously not information we'd want out there," AOL spokeswoman Tricia Primrose said. "We are in the process of investigating what happened."

AOL boasts a volunteer population of about 12,000 members. Community leaders hold high-profile positions and have been known to be targets among account crackers, since they regularly police chat rooms and enforce the rules of AOL's terms of service.

As a result of the security breach, some leaders say they have been subjected to harassing phone calls, and some have been threatened with violence, according to a community leader who asked to remain anonymous. A community leader's phone number can be obtained via Web phone directories using the information provided on the list.

"If you spend enough time in the cybercommunity, you need to protect yourself," the leader added. "I have been reading posts on staff message boards saying that they're getting harassing phone calls."

Although there have been no reports of tampering in community leader accounts since the list was circulated, many leaders still fear "social-engineering" hacks of their accounts. Social-engineering hacks involve hackers persuading or tricking someone into willingly handing over information, rather than a technological break-in.

For example, the American Civil Liberties Union site on AOL was hacked last month when a perpetrator named "PhatEndo" convinced a customer service representative that he was the account holder and obtained confidential information. The hacker then proceeded to reset the subscriber's password, eventually gaining access to the account and defacing the page.

"They've got our account number, so anyone can call up AOL and say that they're me," the community leader said.

Primrose maintained that community leader accounts would be secure, noting that the service validates all volunteer and community leader account information. She added that AOL has started a community leader help desk and has begun to "put together an expedited process for community leaders to change their volunteer screen names." Community leader passwords were not listed in the Excel file.

"What we're doing is reaching out to the community leaders on this list," Primrose said. It remains unclear how the community leader hack was perpetrated.

AOL's community leaders' organization released a statement Sunday to its volunteers, saying that no databases were hacked but confirming that an account containing the list was compromised.

Nonetheless, many of the community leaders remain on edge, and many have taken measures to prevent further breaches in their accounts.

"It's really aggravating," one said.

Just last week, during the Commerce Department summit examining self-regulatory policies to shield Net users' privacy, AOL senior vice president and general counsel George Vrandenberg said, "We are working our tails off" to improve privacy protection for AOL members. For example, he said that every AOL employee had to review the company's privacy policies and sign a statement pledging compliance with them. AOL also says it does not disclose member surfing habits to third parties without permission.

Vrandenberg also said the company was going through and boosting security measures. "We're doing internal audits to test our own system to ensure it is as good as it can get," he said.

Reporter Courtney Macavinta contributed to this report.