A Note to our Members:

AOL Inc. confirmed today that it is investigating a security incident that involved unauthorized access to AOL's network and systems. AOL is working with best-in-class external forensic experts and federal authorities to investigate this serious criminal activity.

AOL's investigation began immediately following a significant increase in the amount of spam appearing as "spoofed emails" from AOL Mail addresses. Spoofing is a tactic used by spammers to make it appear that the message is from an email user known to the recipient in order to trick the recipient into opening it. These emails do not originate from the sender's email or email service provider – the addresses are just edited to make them appear that way.

AOL's investigation is still underway, however, the Company has determined that there was unauthorized access to information regarding a significant number of user accounts. This information included AOL users' email addresses, postal addresses, address book contact information, encrypted passwords and encrypted answers to security questions that we ask when a user resets his or her password, as well as certain employee information. AOL believes that spammers have used this contact information to send spoofed emails that appeared to come from roughly 2% of our email accounts.

Importantly, the Company has no indication that the encryption on the passwords or the answers to security questions was broken. In addition, at this point in the investigation, there is no indication that this incident resulted in disclosure of users' financial information, including debit and credit cards, which is also fully encrypted.

Although there is no indication that the encryption on the passwords or answers to security questions was broken, as a precautionary measure, the Company strongly encourages its users and employees to reset their passwords used for any AOL service and, when doing so, also to change their security question and answer.

It is always our intent to be as transparent as possible when it comes to our members' security, and we understand that many members have questions about this incident. Below, we provide answers to the most common questions about this incident we have received.

FAQs

What happened?

Based on our investigation to date, AOL has determined that there was unauthorized access to information regarding a significant number of user accounts. This information included AOL users' email addresses, postal addresses, address book contact information, encrypted passwords and encrypted answers to security questions that we ask when a user resets his or her password, as well as certain employee information. AOL believes that spammers have used this contact information to send spoofed emails that appeared to come from roughly 2% of our email accounts.

How did this happen?

Our investigation remains ongoing, but we believe that a person gained unauthorized access to the AOL network where some user information is stored.

What specifically has been accessed and/or taken?

Based on our investigation to date, we have determined that there was unauthorized access to email addresses, postal addresses, contact information (as stored in the AOL Mail "address book"), encrypted account passwords, and the encrypted answers to account security questions that we ask when a user resets his or her password.

Importantly, the Company has no indication that the encryption on the passwords or the answers to security questions was broken. In addition, at this point in the investigation, there is no indication that this incident resulted in disclosure of users' financial information, including debit and credit cards, which is also fully encrypted.

When did this happen?

Our investigation is ongoing and we have not yet determined the precise timing of when the attacker gained unauthorized access.

Has the issue been resolved?

We have taken a variety of responsive actions to address the unauthorized access to user information and to reduce the incidence of spam directed at our users and arising out of the use of our users' contacts.

Our investigation remains ongoing, however, and we will alert you of any further developments that could impact you.

Is AOL working with law enforcement on its investigation?

Yes.

Do you think your investigation will uncover anything else?

Our investigation remains ongoing, but we are committed to remaining open and transparent and to updating you on developments that could impact you.

How would I know if my information was stolen?

AOL is in the process of emailing everyone whose information was affected by this incident.

Why wasn't I notified sooner?

It is always our intent to be as transparent as possible when it comes to our members' security. As soon as we were alerted to this issue, we began investigating its cause to identify the scope of affected users as quickly as possible. We then quickly took protective measures to address the impacts of the spoofing issue on April 22, 2014 and notified our consumers of that action in a post at blog.aol.com. We gave further information on April 28, 2014.

We want to be as transparent as possible about issues with AOL Mail that may affect you. Please check our blog periodically for the most up-to-date information.

What is AOL doing to protect my account?

AOL is taking a variety of responsive measures to secure user accounts. In addition, AOL strongly suggests that you change your password and your account security question and answer (which is used during password resets) at account.aol.com.

If you use your AOL username and password as the username and password on other online services, you should reset your passwords on those services.

What specifically is "Spoofing"?

Spoofing is a tactic used by spammers to make it appear that a message is from you in order to trick the recipient into opening it. These emails do not originate from AOL Mail systems – the addresses are just created to make them appear that way. AOL is working with other email providers like Gmail, Yahoo! Mail and Outlook.com to stamp out spoofing across the industry, and we have implemented measures that will significantly limit its future occurrence.

(For more information on spoofed AOL Accounts, please read our "What is email spoofing and how can I tell if my account has been spoofed?" article.)

What is AOL Mail doing to prevent spoofing?

We updated our DMARC policy to tell DMARC-compliant email providers like Gmail, Yahoo! Mail, Outlook.com and others (including AOL Mail itself) to reject mail from AOL addresses that are sent from non-AOL servers.

Sending mail on behalf of AOL Mail users from non-AOL servers had been a common and legitimate practice for services like mailing lists and bulk senders. But it also provided the means for spammers to spoof addresses as described above. By switching AOL Mail's policy to "reject," we significantly thwart spammers' ability to spoof AOL addresses. You can read more about AOL Mail's move here.

Should I change my password on other websites?

If you use the exact same password on your AOL account as you do on other sites, it would be a best practice to change it on those other sites. As a general matter, it is a best practice not to use the same password across different accounts.

If my email address has been spoofed, does that mean my account is compromised?

If your AOL email has been spoofed, your account has not necessarily been accessed. Spoofing can occur without compromising your account. For more information on spoofed AOL Accounts, please read our "What is email spoofing and how can I tell if my account has been spoofed?" article.

What information is contained in an Address Book?

Address Book entries may contain any of the following:

First name
Last name
Nickname
IM / Screenname
Email address
Phone number(s)
Home address
Work title
Employer
Work address
Spouse or significant other
Children
Birthday
Anniversary

However, not all fields are required for Address Book entries, and may not have been included.

Is there anything I can do to make my computer and account safe?

AOL strongly suggests resetting your AOL password and on other websites where you use the same username and password. For tips on creating a strong password, please see here.

Another important thing you can do is not click on the links or attachments in a suspicious email. When in doubt about the authenticity of an email you have received, you should consider contacting the apparent sender to confirm that he or she actually sent it. And you should never provide personal or financial information in an email to someone you do not know. If you believe you are a victim of spoofing, consider letting your friends know that your emails may have been spoofed and to avoid clicking the links in suspicious emails.

For more information about spam and what you can do to protect yourself, please visit the websites of the National Cyber Security Alliance and the Federal Trade Commission.

In addition, there are steps you can take to help protect your computer or mobile device against malicious software ("malware").

  • First, you should always promptly install the latest updates that your operating system provider makes available. These updates are very often made to address potential security issues.
  • Second, you should use antivirus or other security software and keep it up-to-date. Although many people have security software on their desktops and laptops, far fewer have security software on their mobile devices.
  • Third, use a strong password and change it regularly. For more information on secure passwords, please read our Tips to create a secure password article.

Why are my contacts still receiving spoofed emails from my email address?

AOL is working with other email providers like Gmail, Yahoo! Mail and Outlook.com to stamp out spoofing across the industry, and we have implemented measures that will significantly limit its future occurrence.

As soon as we received reports about this issue, we immediately began investigating the cause and instituted important changes that have significantly reduced the ability of spammers to send these types of messages.

If your contacts are still receiving spoofed emails, they are likely using an email service provider that does not support the new security measures that AOL implemented. For more information on the actions taken to stop email spoofing, please read our "What is email spoofing and how can I tell if my account has been spoofed?" article.

Can I report suspicious emails?

Yes. To report a suspicious email, please read our "How do I report suspicious mail or scam emails?" article.

You can also manage your spam settings to block specific senders or content, and manage your spam filter. To learn more, please read our "How do I block spam in AOL mail?" article.

Where can I find the most up to date information about this issue?

For the latest information on our investigation, please visit our blog.

In addition, there are steps you can take to help protect your computer or mobile device against malicious software ("malware").

How can I contact AOL?