Last week, AOL confirmed that an unknown number of AOL Mail accounts have been hacked. Today, the company urged all its customers to change passwords and security questions, as it determined that information for at least two percent of all its accounts had been compromised. That's an impact of half a million users.

Attackers breached AOL’s systems and gained access to e-mail addresses, encrypted passwords, answers to security questions, and other contact information (including postal mailing addresses). While the mailboxes themselves were not compromised, the attackers used the contact information in a barrage of “spoofed” e-mails from those addresses—messages sent from outside AOL’s network with forged “from” address headers. Those e-mails are part of a large-scale phishing operation containing malicious Web links.

An AOL spokesperson said that the company is working with federal law enforcement to investigate the attack on its servers and that there was no indication that encrypted passwords were cracked by the attackers. The company has also changed its Domain-based Message Authentication, Reporting, and Conformance (DMARC) policy to “p=reject”—meaning that other mail services will automatically discard messages sent by someone using an AOL.com mail address when a message is sent from a non-AOL server.