updated 01:33 pm EDT, Mon April 28, 2014
Potentially millions of users affected by data theft that includes addresses
AOL is notifying email account holders that a recent data security breach has allowed intruders to make off with identifying information on about two percent of its user base. Data compromised in the attack includes AOL email addresses, postal addresses, contact information including cell phone numbers and backup email addresses, some employee personal data, encrypted passwords, and similarly-encrypted answers to security questions.
The number of accounts in question hasn't been released. A significant number of the accounts may have lain fallow for some time, so the efficacy of AOL notifying email holders of the breach by using the AOL email in question is in doubt. It has also not been revealed exactly when the theft took place. AOL is recommending that all customers change passwords and security questions immediately, and also on other sites that any identifying information such as account name is duplicated.
AOL became aware of the theft when it noted a significant uptick in the amount of spam email seemingly sent from AOL email accounts. The company believes that the encryption on the passwords and security questions hasn't been broken, and also doesn't think that customer financial information was ever at risk.
"The ongoing investigation of this serious criminal activity is our top priority," AOL claims. "Our security team has put enhanced protective measures in place and we urge our users to take proactive steps to help ensure the security of their accounts."
AOL said in a notification to customers that the spoofed emails "do not originate from the sender's email or email service provider -- the addresses are just edited to make them appear that way."