AOL traces mystery spam flood to security breach; passwords and more stolen

E-mail addresses and encrypted passwords compromised for oughly 2 percent of accounts, AOL says.

AOL is asking users to reset their passwords as it investigates a recent flurry of spam e-mails.

According to Reuters, the uptick in AOL spam is related to a security breach that affected roughly 2 percent of users. Hackers made off with e-mail addresses, mailing addresses, encrypted passwords, and encrypted security questions. AOL says it's still investigating the matter in conjunction with federal employees.

So far, there's no evidence that the encryption on passwords and security questions has been broken. There's no sign of financial information being compromised either, the Wall Street Journal reports.

Users began complaining last week of spam e-mails from their AOL accounts. AOL originally suggested that these users were victims of spoofing, in which a spammer mimics a trusted address in the "From" field of an e-mail. In these cases, the message doesn't actually come from the victim's account, and doesn't even originate from the mail provider's servers.

The strange thing about AOL's case is that the spoofed e-mails were going out to contacts in the victims' address books. AOL still hasn't explained exactly how this happened, though it seems likely that the security breach had something to do with it.

In any case, users won't be able to stop the spam by changing their passwords, because the spam isn't actually being sent from their e-mail accounts. But AOL says it it is now telling other DMARC-compliant mail providers, such as Gmail, Yahoo Mail and, to reject AOL e-mails that don't come from AOL servers. This may require some changes by e-mail marketers and mailing lists, but it's a necessary move to stem the tide of spam.

Tags emailspamantispamAOLwall street journalReuters

Show Comments