The exploit (which no longer works) worked like this:
You register new Screenname (eg. FakeSN101) under an e-mail address (eg. xNemisisx@yahoo.com) that also has the screenname (eg. xNemisisx2) you want to steal registered under it. Then, you sign-on AIM with your new screenname and goto the update e-mail address option on your buddylists My AIM menu. You update your e-mail address to an e-mail in your possesion. I reccomend yahoo, or hotmail (eg. xBillyslavex@yahoo.com). An E-mail is sent to xNemisisx@yahoo.com, and xBillyslavex@yahoo.com. E-mail #1 says that an update e-mail request was made from FakeSN101, to change the e-mail from xNemisisx@yahoo.com, to xBillyslavex@yahoo.com, asking that if you want to cancel the request, you should respond to the e-mail, if you want th request to go through, you do not respond. E-Mail #2 says basicly the same thing, but, if you want to continue with the request (not cancel it) then you must respond to the e-mail. Then after 72 hours, if they have not recived a cancel request from E-Mail #1, and recived the go ahead from E-Mail #2, the change of address goes through. This is where the exploit came into play, not only would FakeSN101's e-mail address be changed to xBillyslavex@yahoo.com, but ALL screennames registered under xNemisisx@yahoo.com would be changed over too, meaning that you could make a lost password request, that would be sent to xBillyslavex@yahoo.com, for any screenname originaly registered under xNemisisx@yahoo.com, AOL Fixed this exploit by not allowing the update e-mail address to be carried over too all accouts registered under E-Mail #1.