I rarely use Skype, so I was surprised when I was notified upon signing in yesterday that I needed to change my password. I didn’t really think much of it — I was about to jump into a meeting — but I was told today that one of my contacts, who I haven’t contacted over Skype in about a month, received a pretty sketchy link from me recently.
So I did a little digging and found this rather worrying November 2016 post from Tom Warren of the Verge:
This year’s attack appears to be growing in size, and Skype users might think they’re protected by Microsoft’s two-factor security, when in reality they’re probably not. Microsoft offers the ability to link a Skype and Microsoft Account together to make sign-in and security easier. If you already enabled this months ago, it turns out that Microsoft has kept your original Skype account password separate so that it can still be used to access the service with a Skype username. If that password isn’t secure or you used it elsewhere then hackers can use it to gain access to Skype, bypassing any two-factor authentication provided by Microsoft.
I spoke to a Microsoft employee, on condition of anonymity, who had a Skype account breached recently. The Microsoft employee had used two-factor authentication, but hackers were able to log in using an old Skype username and password combination. I even tested this on my own personal accounts, and I was able to log into my Skype account with an old password despite linking it to my Microsoft Account months ago. I thought I was protected by Microsoft’s two-factor authentication, but I wasn’t.
Many of us probably created our Skype accounts many years ago, well before they were acquired by Microsoft, at a time when we might have paid less attention to creating secure passwords. And because Skype is almost always accessed as an app instead of a website, most of us probably saved whatever crappy password we set at the time and forgot all about it.
It turns out that’s we haven’t been following the greatest security protocol in the world. But instead of advising users proactively, Microsoft has opted to notify users after signing in and has allowed users two ways of logging in. I think that’s a terrible policy.
You may wish to check your long-dormant Skype account to see if it was compromised, and either disable it or follow Warren’s instructions to secure it.