In a long blog post Monday AOL explains how a spamming/spoof incident ignited an investigation that led to discovering its network and systems had been hacked, with a "significant" number of user accounts accessed in the break-in.
The Internet company vows it's working with external forensic experts and federal authorities to determine who's culpable and advising AOL members to change passwords and other security account data as a protective measure.
But nowhere in the blog post does AOL apologize for the data breach. It does, however, provide a detailed explanation of how the break-in was discovered and how AOL is reacting to the security incident.
Nowhere does AOL state how many actual user accounts were breached, only using the term "significant," and then stating it was 2% of its email user base.
The investigation began after a significant increase in AOL email spam, using spoofed emails with AOL mail addresses, was noticed, said AOL.
"Spoofing is a tactic used by spammers to make it appear that the message is from an email user known to the recipient in order to trick the recipient into opening it. These emails do not originate from the sender's email or email service provider - the addresses are just edited to make them appear that way," explains the blog.
AOL said hackers got access to AOL users' email addresses, post office address information, encrypted passwords and answers to security questions, as well as "certain" employee information.
"We believe that spammers have used this contact information to send spoofed emails that appeared to come from roughly 2% of our email accounts," states the blog.
The blog post noted that, as of now, email users' passwords and security information was not breached and there is no indication that users' encrypted financial information was broken into.
"As a precautionary measure, we nevertheless strongly encourage our users and employees to reset their passwords used for any AOL service and, when doing so, also to change their security question and answer," recommends the blog, which also lists out other tips including not clicking on suspicious mail, not providing any confidential financial or personal data in a response to email whose address you're not familiar with and keeping an eye out for your email address being used in a spam/spoof.
"AOL is notifying potentially affected users and is committed to ensuring the protection of its users, employees and partners and addressing the situation as quickly and forcefully as we can," states the blog.