Skype accounts are being hacked since at least August last year. Breached Skype accounts are used to send thousands of spam messages before they’re locked by Microsoft. The owners then have to regain access and that is when most find out about it. Skype has fallen victim to similar attacks before, and hackers were able to spoof messages on the system in 2015 after using lists of stolen usernames and passwords to gain access to accounts.
Problem
This wave of attack appears to be growing in size, and Skype users who opted for Microsoft’s two-factor security are also vulnerable. Microsoft offers the ability to link a Skype and Microsoft Account together to make sign-in and security easier. It turns out that Microsoft keeps your original Skype account password separate so that it can still be used to access the service with a Skype username. If that password isn’t secure then hackers can use it to gain access to your Skype account, bypassing any two-factor authentication provided by Microsoft. Essentially Microsoft has left a backdoor open to their vaunted two-factor security! It can be safely assumed that the new wave of attack is dictionary based and Skype / Microsoft allows unlimited login tries at some entry point.
Solution
The solution, in brief, is to switch to Microsoft’s two-factor security and then disable access by old method.
1. Update your Skype account to a Microsoft account:
- Go to https://account.microsoft.com, if you’re already signed in, sign out.
- Enter your Skype name and password when prompted and then select
- Sign in.
- If your Skype account is not updated already, you will be notified to update your account.
- Select Next to continue.
- You will be asked to add an email to your account, and verify that email.
- Congrats, your Skype account is also a Microsoft account.
2. Ensure that your Accounts are fully merged:
- Go to https://account.microsoft.com, if you’re already signed in, sign out.
- Enter your Skype name, not your Microsoft Account email address, and use your Skype password to sign-in
- If you’ve linked your Microsoft Account previously, you’ll be prompted to sign-in and merge the accounts to create a Skype alias
3. Disable Skype alias:
Once the two accounts are properly merged, Microsoft creates a Skype alias to let you keep signing in with a Skype username. Disable it under the aliases preferences, to ensure complete protection.