LFI to RCE via access_log injection

AOL security breach from spam attack


AOL has issued a warning to users that personal information has been stolen by attackers, a week after the security of its servers was questioned.

The company on Monday said that the same hackers behind last week's spam deluge were able to infiltrate company servers and lift user information including email addresses, contact lists and home mailing addresses. Additionally, encrypted password and security question answer archives were stolen.

AOL kicked off the investigation last week when users began receiving large amounts of spam from spoofed email addresses. The company believes that the attacks, which circumvented most spam controls, were the result of a mass breach that the company estimates encompassed around 2 per cent of AOL's customer email accounts.

"Importantly, we have no indication that the encryption on the passwords or the answers to security questions was broken," AOL said.

"In addition, at this point in the investigation, there is no indication that this incident resulted in disclosure of users' financial information, including debit and credit cards, which is also fully encrypted."
The company told customers that it is currently working with law enforcement to track down the individuals behind the breach.

In the meantime, AOL is advising users to be weary of suspicious or unknown email messages. Additionally, users are being warned not to provide personal information or account details to unknown parties or unsolicited emails claiming to be from AOL administrators. Additionally, users are being advised to change their passwords.

"Although there is no indication that the encryption on the passwords or answers to security questions was broken, as a precautionary measure, we nevertheless strongly encourage our users and employees to reset their passwords used for any AOL service and, when doing so, also to change their security question and answer," AOL said.

The recommended steps are all best practices which should be observed by all users regardless of service provider. Though given that the AOL email service traces its roots back two decades to the era of dial-up walled garden ISPs, the company might face an uphill battle in educating users who might be... how do we put this?...unfamiliar with modern security practices.


Comments