In a blog post, AOL (which owns TechCrunch) wrote that its investigation is still ongoing, but it acknowledged that a “significant” number of users were affected, with the spoofers gaining access to “AOL users’ email addresses, postal addresses, address book contact information, encrypted passwords and encrypted answers to security questions that we ask when a user resets his or her password, as well as certain employee information.”
The company said that the encryption on passwords and security questions was not broken, but it still suggests that users change them.
“In addition, at this point in the investigation, there is no indication that this incident resulted in disclosure of users’ financial information, including debit and credit cards, which is also fully encrypted,” AOL wrote.
Spoofing involves sending spam messages that appear to come from an email user but don’t in fact originate from that user or their email provider. In this case, the company says spoofed emails appeared to be sent from “roughly 2%” of all AOL accounts.
Following the spoofing incident, AOL said that it was increasing security measures to prevent future hacks.