These are essentially multiple usernames. It’s a mammoth effort behind the scenes.Īs part of this process, they’re supporting the use of multiple ‘aliases’ for each account. Microsoft are on a mission to merge all of their identity platforms: consumer Microsoft accounts, work or school accounts (OrgId / AAD), and Skype accounts. Considering the simplicity of Skype’s overall approach to authentication, and their rather broad range of client APIs, I’d postulate that there’s some brute forcing in play as well, or there has been a credential leak. Skype are stating that this is most likely due to credential re-use, however I know of one IT security professional whose account was compromised despite using a unique password that was always stored in a password manager. Skype accounts are actively being compromised via simple username + password authentication, with no second factor validations in play. Skype accounts have never supported two-factor authentication. Linking a Microsoft account never prevented the Skype-based sign in.
This allowed me to login to my Skype account via my Microsoft Account ( Anybody who has used the Windows 8 or Windows 10 apps for Skype will have been encouraged down this path. (It does now.)Īfter Microsoft acquired Skype, they added support for ‘linking’ a Microsoft account to your Skype account. The sign up flow never used to prompt for an email address or phone number.
Long time users of Skype will have set up their Skype account under a username. (Skype accounts aren’t always linked to email addresses, making the password recovery process notoriously difficult.) Issue Leaving them open leaves you at high risk of being the source of embarrassing spam messages to your contacts, and potentially being locked out of your Skype account for good. These vulnerabilities are simple to close. I expect many people to be in similar position, based on Microsoft + Skype’s approach to account migrations over the years. The links had been tagged with my owner username, likely to give them info on whose accounts to target next.Īfter a little bit of digging, I found vulnerabilities in my own Skype account setup.
The spam messages were simple links via Baidu or LinkedIn open redirect endpoints. I received several spam messages from contacts of mine, all of whom were knowledgeable about IT security, and avid users of password managers and two factor authentication. There has been quite a peak of spam on Skype this week, involving compromised credentials. Sign in with your Skype account (old Skype username, not email or phone number)įor the most complete fix, and a little background, read on.If you don’t have time to read the full post below, these are the minimum steps you should follow to secure your Skype account: