AOL was hacked after all.
Last week the level of spam with AOL email addresses jumped up significantly, filling inboxes with garbage emails. At the time, the company insisted that its mail servers weren't hacked, but instead spammers with their own email servers were "spoofing" legit AOL email addresses. Changing passwords doesn't remedy the issue since nothing was hacked to begin with.
"Spoofing is a tactic used by spammers to make it appear that the message is from an email user known to the recipient in order to trick the recipient into opening it. These emails do not originate from the sender's email or email service provider -- the addresses are just edited to make them appear that way," writes AOL's Mail Team.
The company announced that it was on the case, and now AOL reports that there was unauthorized access to information regarding a "significant" number of user accounts. Hackers managed to grab email addresses, postal addresses, address book contact information, encrypted passwords, encrypted answers to security questions, and certain employee information. They might as well have grabbed our wallet or purse.
"We believe that spammers have used this contact information to send spoofed emails that appeared to come from roughly 2-percent of our email accounts," the team writes.
The team says that at this point in the investigation, there's no indication that the encryption on the passwords or the answers to security questions was broken. There's also no indication that this incident resulted in disclosure of users' financial information, including debit and credit cards, which is also fully encrypted.
Still, AOL wants users to change passwords and security questions.
"The ongoing investigation of this serious criminal activity is our top priority," the team writes. "We are working closely with federal authorities to pursue this investigation to its resolution. Our security team has put enhanced protective measures in place and we urge our users to take proactive steps to help ensure the security of their accounts."
The team warns that users should not open suspicious emails, and do not click on attachments. If you receive an email with a known AOL address, contact the other party and see if it's legit. Never provide your sensitive personal information in an email to anyone, such as bank details and passwords. If you're a victim of spoofing, tell all your friends so they won't click on disguised attached malware.
"AOL is notifying potentially affected users and is committed to ensuring the protection of its users, employees and partners and addressing the situation as quickly and forcefully as we can," the team writes.