bit-tech.net

AOL hit by massive data breach

AOL hit by massive data breach

The personal details of AOL's millions of customers has been leaked in an attack on the company's systems, resulting in thousands of accounts being hijacked to send spam.

Internet pioneer AOL has warned of a major breach that has affected a significant number of users, leaking email and postal addresses, contact information and password details to attackers unknown.

AOL launched in 1983 as the Control Video Corporation and produced a short-lived modem-based gaming download service for the Atari 2600 dubbed GameLine. The precursor to Valve's Steam and similar digital distribution systems, GameLine was not a financial success; the company had better luck with the Link series of online portals for the Commodore 64, Apple II and Macintosh, and IBM compatibles. In 1989, America Online was born as a walled-garden internet service which included chat, email and several games - including the first-ever web-based interactive fiction series and the first automated play-by-email game.

While internet-savvy consumers soon dropped AOL's walled-garden system for more open services from generic internet service providers, the company still boasts a considerable client base. Despite an ongoing slide in customers, the company boasts a near three-million user count in the US alone - and it's these customers who have been exposed in a serious security breach.

'We have determined that there was unauthorised access to information regarding a significant number of user accounts,' the company admitted late last night, following an investigation into spam messages sent from registered AOL accounts. 'This information included AOL users' email addresses, postal addresses, address book contact information, encrypted passwords and encrypted answers to security questions that we ask when a user resets his or her password, as well as certain employee information. We believe that spammers have used this contact information to send spoofed emails that appeared to come from roughly two per cent of our email accounts.'

The company has not confirmed the nature of the 'encryption' used to store the passwords - which should, by industry best practice, be a salted one-way hash function, rather than reversible encryption - but does claim that it has 'no indication' that said encryption was broken; this despite the attackers gaining full access to the accounts from which spam is issuing, an indication that they have indeed been able to retrieve at least some passwords from the corpus.

Users affected by the breach - and, at this point, it looks to cover anyone with an AOL email address, active or otherwise - is advised to reset their password and change their security questions; if the same password is used anywhere else, that should be changed too.

8 Comments

Discuss in the forums Reply
Shirty 29th April 2014, 09:38 Quote
I've still got an AOL CD from the mid 90s at home.

Not relevant to the story but a fun fact nonetheless.
Gareth Halfacree 29th April 2014, 09:48 Quote
Quote:
Originally Posted by Shirty
I've still got an AOL CD from the mid 90s at home.
I'm certain I've an AOL floppy somewhere around here. Oh, and a Commodore Communications Modem - but that came bundled with Compunet, not AOL or its predecessors. I scanned the leaflet and instructions if anyone's curious.
schmidtbag 29th April 2014, 15:38 Quote
Quote:
Originally Posted by Gareth Halfacree
I'm certain I've an AOL floppy somewhere around here. Oh, and a Commodore Communications Modem - but that came bundled with Compunet, not AOL or its predecessors. I scanned the leaflet and instructions if anyone's curious.

I had no idea Europe had anything to do with AOL at any point, except the AIM service, which from what I recall most Europeans replaced with ICQ or MSN.
Flibblebot 30th April 2014, 10:18 Quote
Quote:
Originally Posted by Gareth Halfacree
Oh, and a Commodore Communications Modem - but that came bundled with Compunet, not AOL or its predecessors.
I had one of those. I remember only being allowed to use it late at night so it wouldn't tie the phone line up, and would cost cheaper :D

Back on topic, part of me has to wonder whether this is the end of the Internet as we know it? With all these recent security scares, and the press they've received, will the great unwashed masses start to move away from the Internet because they're worried about the safety of their date?
Gareth Halfacree 30th April 2014, 10:20 Quote
Quote:
Originally Posted by schmidtbag
I had no idea Europe had anything to do with AOL at any point, except the AIM service, which from what I recall most Europeans replaced with ICQ or MSN.
AOL was a major UK ISP; its floppies - and later CDs - were a frequent sight in computer shops, and often came attached to magazines. Its UK broadband business was bought by Carphone Warehouse years ago, mind. End of an era!
schmidtbag 30th April 2014, 14:55 Quote
Quote:
Originally Posted by Gareth Halfacree
AOL was a major UK ISP; its floppies - and later CDs - were a frequent sight in computer shops, and often came attached to magazines. Its UK broadband business was bought by Carphone Warehouse years ago, mind. End of an era!

I'm very sorry to hear you had to deal with that.
mdshann 1st May 2014, 22:29 Quote
They probably didn't bother to break the encryption. They probably just tried to log onto every account with a password of "password" or "123" Remember, these are AOL accounts we're talking about here.
Cthippo 1st May 2014, 22:39 Quote
Keep in mind, all this only works because there are people out there who still not only look at spam, but actually buy things advertised in spam.

I still think we should compromise a botnet, send out tons and tons of spam, and anyone who tries the products advertised gets publicly humiliated. Spammers are bad, no question about that, but the people who buy from spam are the real problem.
Log in

You are not logged in, please login with your forum account below. If you don't already have an account please register to start contributing.



Discuss in the forums