According to the company, the breach didn’t include encrypted information like passwords or the answers to security questions: that’s not how they accessed accounts. It appears that the hackers do have access to information that customers can see in plain text once logged into their account: security question responses, names, mailing addresses, and their e-mail contacts.
A large number of messages have gone out into the virtual mailstream that appear to come from AOL customers in recent weeks, but that are obviously spammy. Most of these messages went out to customers’ own contacts, though, so the question remains: how did hackers get access to their accounts?
For now, AOL is telling other mail providers to block addresses that appear to come from AOL members but didn’t originate on the company’s servers. If you (or someone who sends you forwards of animated cartoon kittens) happen to be an AOL e-mail user, be sure to change your password and the answers to your security questions.
AOL Investigating Security Incident on Network [Wall Street Journal]