AOL admitted on April 28 that its network and systems were recently breached though it has not publicly disclosed a timeline on when the breach occurred or how long its systems were at risk.
“AOL’s investigation is still under way; however, we have determined that there was unauthorized access to information regarding a significant number of user accounts,” AOL noted in a blog post.”
According to AOL, the information accessed includes user email and postal addresses as well as address book contact information. Additionally, AOL warns that the answers to the security questions that are required when a user password reset is requested were also obtained in the breach. Those answers, however, were in an encrypted format, and AOL currently is not aware of the encryption actually being broken.
AOL currently estimates that 2 percent of its users’ email accounts have been impacted, with attackers sending spoofed emails. That’s a nontrivial amount of Internet users.