AOL is working with forensic experts and federal authorities to investigate the spoofing attack last week which appears to have given spammers access to customer information including encrypted passwords.
Reports of spam emails flooding AOL inboxes emerged on Tuesday, and AOL immediately began an investigation, according to a new blog post by AOL updating users on the status of the security investigation.
The attack involved unauthorized access to AOL’s network and systems where the spammers were able to see customer information, including AOL users’ email addresses, postal addresses, address book contact information, encrypted passwords, and encrypted answers to security questions for password resets. It is also believed that certain employee information was accessed.
“Importantly, we have no indication that the encryption on the passwords or the answers to security questions was broken. In addition, at this point in the investigation, there is no indication that this incident resulted in disclosure of users’ financial information, including debit and credit cards, which is also fully encrypted,” AOL’s security team writes in the post.
Spammers used the contact information to send spoofed emails that appeared to come from around two percent of AOL’s email accounts, according to the post.
AOL is encouraging users and employees to reset their passwords and change their security question and answer in light of the attack. It is also notifying potentially affected users.
Controversy around the security of free email services has not been limited to AOL recently. Last month, Microsoft changed its email policy in response to reports that it snooped in a user’s email account to find the source of a code leak back in 2012.