Why everyone should care about AOL email hack
Twitter is afire with AOLHack talk
Something has gone horribly wrong with AOL email, and here's what you need to know.
1) If you get an email from an AOL.com email address, treat it as toxic - even if it appears to comes from a friend.
2) If you have, or had, and AOL email account, know that your address book may have been stolen by a hacker
3) How many meaningful emails do you get every day from AOL users anyway?
Sign up for Bob Sullivan's free email newsletter.
Users have been complaining for a few days that rogue email is being sent from their accounts to friends and others in their address book. The emails are traditional phishing attempts, urging recipients to click on a booby-trapped link, like this: "Have you already seen it?" followed up a link to a hacker site.
Of course, because the email arrives seemingly from someone you know, it's more tempting than a random hacker email.
On Monday evening, AOL confirmed there was an problem, but issued only a vague statement. Customer service agents are directing people towards this page, and telling customers to change their passwords. While that's not a bad idea, it doesn't seem to be stopping the spam. Reading the tea leaves, here's what seems to be happening:
A computer criminal has obtained a large number of AOL user address books. It's very hard to guess how many, but judging from the Twitter chatter, it's certainly substantial. That criminal is then using their address to send out "spoofed" emails with fake headers that make them appear to come from an AOL account. It's not unlike sending an old-fashioned letter to someone and putting a fake return address on it so they think it's from someone else.
Spoofing is a pretty common technique, and there's really nothing you can do to stop it. Sometimes you'll find out it's happening because you'll receive a number of email rejection notices in your inbox -- if a spammer uses your address to sent a note to an address that's no longer functional, the message will bounce back to you. But it's certainly possible to be the victim of spoofing and never know.
If this operating theory is correct, there's not much you can do to stop it, other than avoid clicking on links in AOL mail. Victims of this hack say that changing their passwords has not stopped the spoofing, which would be consistent with this theory of events. The solution won't even lie within AOL, once it has confirmed criminals are no longer able to access user address books. Eventually, spam-fighting engines around the globe will have to be updated to stop the flow of these emails to recipients.