AOL admits to security breach

According to Reuters AOL has admitted there was a breach of their network security that compromised 2% of their accounts. Users are being told to reset their passwords, and security questions.
AOL started investigating the attack after users started reporting an uptick in spam from aol.com addresses. This spam was using @aol.com addresses to send mail to addresses in that user’s address book.
According to the AOL mail team, they are still investigating the attack, but they do not believe financial information was compromised.  Their statement reads in part:

we have determined that there was unauthorized access to information regarding a significant number of user accounts. This information included AOL users’ email addresses, postal addresses, address book contact information, encrypted passwords and encrypted answers to security questions that we ask when a user resets his or her password, as well as certain employee information. We believe that spammers have used this contact information to send spoofed emails that appeared to come from roughly 2% of our email accounts.

One of the responses to the attack was to change the AOL DMARC policy from p=none to p=reject. Any ISP respecting DMARC policies on the inbound will reject the spam. Legitimate mail sent through servers that don’t belong to AOL (like mailing lists or ESPs) is also affected by this policy and will not be delivered.
It seems that both the frequency and the severity of security attacks is increasing. It’s always possible this is a consequence of publicity. But the attackers do really seem to be escalating. Much of the data is used to steal financial information, but this recent round of attacks seems to mostly be trying to find new victims to compromise. In any case, security is a major issue that none of us can ignore.

Related Posts

AOL compromise

Lots of reports today of a security problem at AOL where accounts are sending spam, or are being spoofed in spam runs or something. Details are hazy, but there seems to be quite a bit of noise surrounding this incident. AOL hasn’t provided any information as of yet as to what is going on.

Read More

New security focused services

Steve’s been busy this week working on some new products.
You can see the first at Did Company Leak? This is a neat little hack that looks at social media reports to see if a there are reports of leaks, breaches or hacks and gives you a list of tweets that reference them. And, yes, I did really receive spam to two addresses stolen from iContact customers today.

Read More

The weak link in security

Terry Zink posts about the biggest problem with security: human errors. Everyone who is looking at security needs to think about the human factor. And how people can deliberately or accidentally subvert security.

Read More