AOL/AIM account security

[ixfd64]

Last December, someone cracked into my AIM account (which I rarely use these days) in an attempt to steal my RuneScape account. I had linked my AIM account to my Facebook account, and the person was asking my Facebook friends questions about me in order to guess my recovery answers. Luckily, I was able to recover my AIM account and lock the "hacker" out before he was able to do more damage.

 

But about two weeks ago, my AIM account was cracked again. I could tell it was the same guy because he changed my real name to "D. Willis" (under the AOL account settings) both times. The strange thing is that my AOL account log shows that my password and recovery answer were "modified" (and not "reset"), meaning that the person knew what they were. This is very strange because my password and recovery answer were designed to be extremely hard to guess. Normally the only way to find them out would be to use a keylogger, but I don't think I have one on my computer because 1) I did several virus scans, and all came back clean, 2) I could find no unusual processes running on my computer, and 3) if the person did put a keylogger on my computer, he would have just accessed my RuneScape directly instead of going through all that trouble.

 

So my question is: how else was the "hacker" able to find them out? Sure, it's theoretically possible that he actually hacked into the AOL servers and brute-forced the hashes, but I doubt real hackers in the league of Anonymous/LulzSec/etc. would be interested in someone's online game account.

 

Edit: I'm aware that someone did hack into AOL and do a partial database dump a couple of months ago, but the last time I changed my password and recovery question before the "hacker" got ahold of them was after the dump happened.

[Sbrideau]

What I would do is unlink your facebook and rs accounts from that AIM account for added security and link it to another account/new AIM account. I would keep that old AIM account for security purposes, but it would make it harder for that person to get your information.

 

As for how he's able to get into the account, is your password longer than 8 Characters? There are ways, but I'm not familiar with them, except for the passwords shorter than 8 Characters in Windows.

[ixfd64]

My password was 14 characters long, so I highly doubt it was brute-forced. Not to mention that it would have had to be done over an Internet connection, which is much slower than, say, brute-forcing a hash.

[Mercifull]

Consider activating 2-step verification on Facebook as well. That would help prevent malicious access,

[Sbrideau]

Well I know how easy it is to get the password hashes for the Windows passwords, that's why I was suggesting the 8 character lenght, but if it was 14 characters long, then it's very unlikely that it was the method they used.