AOL Inc. said Monday that hackers had stolen the email addresses, postal addresses, address books, encrypted passwords and the encrypted answers to security questions of "a significant number of user accounts."
AOL suggested that all its users and employees change their passwords and their security questions and answers to protect themselves.
"The ongoing investigation of this serious criminal activity is our top priority," AOL said in a note. "We are working closely with federal authorities to pursue this investigation to its resolution. Our security team has put enhanced protective measures in place, and we urge our users to take proactive steps to help ensure the security of their accounts."
AOL said it began investigating the matter after it saw a significant increase in the amount of spam email being sent from accounts that were set up to look like AOL Mail addresses. This is a tactic known as "spoofing."
Spoofing is "used by spammers to make it appear that the message is from an email user known to the recipient in order to trick the recipient into opening it," AOL said. "These emails do not originate from the sender's email or email service provider -- the addresses are just edited to make them appear that way."
The company said it appears spammers are using the stolen contact information to send spoof messages from email addresses mimicking 2 percent of AOL's accounts.
The rise in spoof AOL spam email occurred last week. John Levine, who co-wrote "The Internet for Dummies," said it is hard to gauge how significant the AOL breach may be because the company did not say how many users were affected.