AOL hacked…again

It’s difficult for me to classify this as an Internet story since it involves AOL.  Anyone who has been in the technology industry as a profession knows all too well that AOL is anything but an Internet service.  In fact, seeing the acronym “ISP” used in reference to AOL must surely insult real Internet Service Providers in the most demeaning way.

As proof of AOL’s continuing inability to provide any level of security with their service or their internal network or their employees, hackers last week were able to compromise AOL’s internal — yes, I mean internal — network and Merlin, the internal database which AOL uses to track the account information of its 35 million subscribers.

This most recent hack of AOL gave the attackers full and unfettered access to Merlin.  Since Merlin is an internal database application, yet hackers were able to break in and compromise the system, it should certainly beg the question of how safe the AOL service itself really is (if they can’t even protect their internal network).

Since Merlin requires a user ID, two passwords, and a SecurID, it raises serious concerns over how the system could have been compromised.  Well, it would seem the hacker or hackers in question utilized a series of attack vectors in order to gain access.  None of the possible attacks are new to anyone in the technology industry, and they certainly are not new to AOL (since most, if not all, have been used to hack AOL before).  Some of these possible vectors are “social engineering” of an AOL employee, password trading, and spamming the AOL employee database with false security updates — to name a few.

This is not an isolated incident with AOL, so don’t panic over this single incident.  You should panic over the frighteningly large number of successful hack attacks on AOL over the last several years — against both their internal and their external networks.

Given AOHell’s apparent inability to secure their service from inside or outside, given their history of exposing their customers’ personal account information to hackers or anyone willing to call and ask for it, and given their apparent inability to provide any level of safety to their subscribers, I would personally recommend not using any AOL product.

If you’d like an example of how easy it is to hack AOL, just do a search at Google for “aol hacks” to find out.

If this single story doesn?t scare you away from AOL and it’s apparent disinterest in providing for the security of its subscribers’ information, then perhaps the following references to previous hacks and security incidents will.

September 1995 — Hackers access the email of AOL’s CEO

September 1996 — Hackers deface Court TV on AOL

March 1997 — AOL’s The Hub hacked

April 1997 — AOL’s GameWIZ hackedtwice

April 1997 — AOL employee FTP sites hacked

September 1997 — Business Week on AOL hacked

December 1997 — AOL’s NetNoir are hackedtwice

January 1998 — AOL personnel freely give out personal information on account holder

May 1998 — AOL’s ACLU area hacked

May 1998 — CNET reporter’s AOL account hacked after investigating the ACLU AOL hack

June 1998 — AOL database of volunteers hacked

September 1998 — AOL’s NetNoir area hacked again

June 1999 — AOL’s Academic Assistance Center content is hacked

January 2000 — AOL’s employee bulletin boards compromised

January 2000 — Big back door found in AIM service

March 2000 — “MacGyver” AIM account hacked NOTE: This was two weeks after AOL said it had fixed this security hole)

June 2000 — AOL says hackers may have stolen credit card numbers

July 2000 — AOL flaw allows children to bypass parental controls

April 2002 — AOL Instant Messenger hacked by three 17-year-olds

Rather than bore you with the enormous list of hacks, you can check out a list of related articles and resources here.

And remember, friends don’t let friends use AOL.

Leave a Reply