AOL accounts spoofed / hacked

A client called me about her computer being hacked. Turns out that only her AOL account probably was hacked. People in her address book were getting odd email messages supposedly from her. Her PC was okay otherwise.

She’s one of many experiencing the problem. PC World noted the situation in their article “You’ve got spam mail: Slew of AOL email accounts fall prey to spoofing attack.” There’s a hash tag #aolhacked tracking reports of the problem.

It’s unclear whether in all cases AOL accounts were hacked or somehow address books were compromised and used to spoof email addresses.

AOL recommends changing your password. That may help if your account was hacked. But if your account is being spoofed, that’s another matter, with no ready solution. AOL has a page describing the difference here.

PC World also recommended reviewing these computer safety tips: How to protect your PC against devious security traps.

The classic case of spoofing is where you receive a message purportedly from yourself to yourself — something that you did not do.

Remember that email is modeled after the United States Postal Service (USPS). So, it’s easy for anyone to put whatever “to” address they want on an envelope as well as any “from” address.

You just have to be careful, especially with email messages with subjects like “Hi” or “How are you” or something else that’s really general or vague (or even blank). And beware of phishing scams that have subjects regarding undeliverable packages.

In general I recommend that everyone have at least two email addresses with different service providers. So, if you have an AOL account, then also have a Google account with a Gmail address as a secondary address.

1 comment

  1. April 29, 2014

    AOL

    Dear AOL User,

    At AOL, we care deeply about the safety and security of your online experience. We are writing to notify you that AOL is investigating a security incident that involved unauthorized access to AOL’s network and systems. Recently, our systems alerted us to an increased incidence of email users receiving spam emails from “spoofed” AOL email addresses. AOL’s security team immediately began investigating the cause of the spoofed emails. Spoofing is a tactic used by spammers to make it appear that the message is from you in order to trick the recipient into opening it. These emails do not originate from the AOL Mail system – the addresses are just edited to make them appear that way. AOL is working with other email providers like Gmail, Yahoo! Mail and Outlook·com to stamp out spoofing across the industry, and we have implemented measures that will significantly limit its future occurrence.

    Although our investigation is still underway, we have determined that there was unauthorized access to AOL users’ email addresses, postal addresses, contact information (as stored in the AOL Mail “Address Book”), encrypted account passwords, and encrypted answers to security questions that we ask when a user resets his or her password. We believe spammers have used this contact information to send spoofed emails that appeared to come from roughly 2% of our email accounts.

    Importantly, at this point, we have no indication that the encryption on the passwords or the answers to security questions was broken. Likewise, there is no indication that this incident resulted in disclosure of users’ financial information, including debit and credit cards, which is also fully encrypted.

    Nevertheless, as a precautionary measure, we strongly encourage you to reset your password used for any AOL service and, when you do so, you should take the time to change your account security question and answer. You may reset your password and account security question at account.aol.com.

    In addition, there are steps you can take to protect yourself from cyber risks. They include:

    – If you receive a suspicious email, do not respond or click on any links or attachments in the email.

    – When in doubt about the authenticity of an email you have received, contact the sender to confirm that he or she actually sent it.

    – Never provide personal or financial information in an email to someone you do not know. AOL will never ask you for your password or any other sensitive personal information over email.

    – If you believe you are a victim of spoofing, consider letting your friends know that your emails may have been spoofed and to avoid clicking the links in suspicious emails.

    We place a premium on the security of our systems and our users’ information. We are implementing additional measures to address this incident, and we are working with law enforcement to pursue the matter.

    If you have any further questions, additional information and an extensive Q&A can be found at faq.aol.com. We apologize for any inconvenience, and we are addressing the situation as quickly and forcefully as we can.

    Bud Rosenthal
    Bud Rosenthal, AOL Membership Group CEO

    Privacy Policy | Customer Support
    ©2014 AOL, Inc. All Rights Reserved.

Comments are closed.