Skip to main content

Why are Skype accounts getting hacked so easily?

Why are Skype accounts getting hacked so easily?

/

Secure your Skype account immediately

Share this story

If you've received a weird message on Skype with a link to Baidu or LinkedIn recently, you're not alone. In the past couple of weeks, I've received spam links to Baidu from six of my Skype contacts, one of whom works for Microsoft's PR agency and another is a former Microsoft employee. All were surprised to see their accounts breached, and some believed they were protected by Microsoft's two-factor authentication. That wasn't the case, though.

A thread on Microsoft's Skype support forums reveals this has been occurring to hundreds of Skype users since at least August. Breached Skype accounts are used to send thousands of spam messages before they're locked and the owners have to regain access. Skype has fallen victim to similar attacks before, and hackers were able to spoof messages on the system last year after using lists of stolen usernames and passwords to gain access to accounts.

Microsoft says there is no breach of Skype security

"Some Skype customers have reported their accounts being used to send spam," says a Microsoft spokesperson in a statement to The Verge. "There is no breach of Skype security, instead we believe criminals are using username and password combinations obtained illegally to see if they exist on Skype. We continue to take steps to harden the login process and recommend customers update their Skype account to a Microsoft account to benefit from added protections such as two-factor authentication."

This year's attack appears to be growing in size, and Skype users might think they're protected by Microsoft's two-factor security, when in reality they're probably not. Microsoft offers the ability to link a Skype and Microsoft Account together to make sign-in and security easier. If you already enabled this months ago, it turns out that Microsoft has kept your original Skype account password separate so that it can still be used to access the service with a Skype username. If that password isn't secure or you used it elsewhere then hackers can use it to gain access to Skype, bypassing any two-factor authentication provided by Microsoft.

Your Skype account might not be as secure as you think

I spoke to a Microsoft employee, on condition of anonymity, who had a Skype account breached recently. The Microsoft employee had used two-factor authentication, but hackers were able to log in using an old Skype username and password combination. I even tested this on my own personal accounts, and I was able to log into my Skype account with an old password despite linking it to my Microsoft Account months ago. I thought I was protected by Microsoft's two-factor authentication, but I wasn't.

It's a bizarre situation that highlights Microsoft's challenges of integrating Skype, while upgrading its aging infrastructure away from a peer-to-peer service. Microsoft had to patch a major flaw that left Skype accounts open to attack if you knew the associated email address back in 2012. It was an embarrassing security hole that was fixed the same day, but it knocked confidence in Microsoft's approach to securing Skype. The ability to bypass Microsoft's two-factor authentication is yet another dent in Skype's security.

Despite this glaring hole, Microsoft has a fix, but it's not making it very clear to users who have already linked accounts or automatically fixing it for them. If you've already linked a Microsoft Account to Skype, then you'll need to "update" your Skype account to ensure it's fully merged over at Microsoft's account page. Here are the steps:

  • Go to https://account.microsoft.com, if you're already signed in, sign out.
  • Enter your Skype name, not your Microsoft Account email address, and use your Skype password to sign-in
  • If you've linked your Microsoft Account previously, you'll be prompted to sign-in and merge the accounts to create a Skype alias

Secure your Skype and Microsoft Account immediately

Once the two accounts are properly merged, Microsoft creates a Skype alias to let you keep signing in with a Skype username. You can continue using this or disable it under the aliases preferences, to ensure nobody can try to sign in with your Skype username. Either way, you won't be able to use your old Skype password anymore, and attackers will have to know the email address associated with your account.

This entire process seems messy, but it appears to be the best way to secure your Microsoft account. If you've already linked a Skype username then I would suggest doing this extra merge process immediately, to secure your account. If you haven't linked Skype and Microsoft Accounts at all, then you should be safe to link and merge with the new process.

I asked Microsoft to explain why it hasn't alerted Skype users that have previously linked their Microsoft Accounts to this new merging option. “To benefit from added protections such as two-factor authentication, it is important that customers follow all the steps to update their Skype account to a Microsoft account," explained a Microsoft spokesperson. Detailed instructions are available at https://support.skype.com/en/faq/FA34657/one-account-for-skype-and-your-other-microsoft-services. If further assistance is needed, we invite customers to contact customer support at https://support.skype.com/en/skype/windows-desktop/.”