AOL, which admitted today that its network and systems were recently breached, has not publicly disclosed a timeline on when the breach occurred or how long its systems were at risk.
"AOL's investigation is still under way; however, we have determined that there was unauthorized access to information regarding a significant number of user accounts," AOL noted in a blog post."
According to AOL, the information accessed includes user email and postal addresses as well as address book contact information. Additionally, AOL warns that the answers to the security questions that are required when a user password reset is requested were also obtained in the breach. Those answers, however, were in an encrypted format, and AOL currently is not aware of the encryption actually being broken.
AOL currently estimates that 2 percent of its users' email accounts have been impacted, with attackers sending spoofed emails. That's a nontrivial amount of Internet users.
While AOL only publicly acknowledged that its systems were breached today (April 28), the spoofing attacks have been ongoing since at least April 22.
"If you believe that your account has been compromised, or that your AOL Mail email address has been used to send spoofed messages, please visit the AOL Help site," AOL noted in an April 22 blog post. "AOL takes the security of consumers very seriously, and we are committed to continually improving our security protocols in an effort to prevent situations like this from occurring."
AOL is now recommending that its users reset passwords used for all AOL services. Going a step further, AOL also suggests that users change their security question for password resets as well.
"We are working closely with federal authorities to pursue this investigation to its resolution," AOL stated. "Our security team has put enhanced protective measures in place, and we urge our users to take proactive steps to help ensure the security of their accounts."
This new AOL breach serves as a reminder that organizations big and small are under constant attack and the username/password combination is often the weak link. While we still don't know exactly how AOL was breached, the simple fact is that it happened, and now users need to react immediately.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.