Shared publicly  - 
 
The story of my Skype account getting hacked

I have a Skype account, but I don't use it that often. In mid-November, I got 3-4 emails from Skype in Russian. I get a lot of email, so I didn't bother to translate them. Then I got this email:

"I am a researcher in the field of security. Unfortunately Skype support does not respond to a message about the vulnerability of their systems. You quadrupeds person and may be able to influence the situation.
I apologize ... Your password from skype account - [removed]. 
I also examine the security of your systems. If you're interested, I can send you the results.
With best regards...."

That's an interesting email to get. The next morning, http://thenextweb.com/microsoft/2012/11/14/security-hole-allows-anyone-to-hijack-your-skype-account-using-only-your-email-address/ reported that Skype had a security hole that let anyone hijack your Skype account using only your email address.

Skype fixed the hole and issued a statement saying "We are reaching out to a small number of users who may have been impacted to assist as necessary." I literally only use Skype when I'm a guest on This Week in Google (see http://twit.tv/twig ), so it wasn't until today that I tried to log in. Sure enough, my original password didn't work.

Some quick thoughts:
- As always, it sucks to get hacked. I've talked to a lot of people who have had their website hacked, and it really feels like a violation. In this case, I had a month of distance and the attacker sent me the new password, so it wasn't really that stressful. It does suck that it was Skype's fault though--the best security practices in the world don't help if the vulnerability is on the provider's side. If I had any money stored with Skype, I'd feel more angry and disappointed.

- I'm doubly disappointed that Skype said that they'd reach out to users who were impacted, but they never reached out to me. Are there other Skype users who were hacked that Skype hasn't notified or helped?

- On the other hand, I'm not that angry at the "security researcher" who hacked my account. He emailed me to let me know the new password, which is about as polite and good-mannered as you can expect from someone hijacking your account.

Account security matters. In this case, the hack was out of my hands. But it's still a good idea to use protection like two-step authentication: http://support.google.com/accounts/bin/answer.py?hl=en&answer=180744 . Also, don't forget to use a PIN or unlock pattern on your cell phone.
167
70
Daniel Junior's profile photoeL pmpy's profile photoSeth Etter's profile photoAndy Page's profile photo
40 comments
 
You can never be too safe these days. I think people become to complacent and trust the application and it's programmers to do their job properly - but things get overseen. Good advice... I use 2 factor authentication, it was a little inconvenient at first but definitely worth it.
 
another thing you and I have in common: I don't use skype often either! :D 

(is there a reason? with Google Hangout freely available?)
 
I know that feeling of violation. I had my Google Account totally taken over a few years back. It cost me $500 to pay the hacker to get it all back.

In hindsight it was a good lesson learnt and shortly after Google introduced 2-Step Authentication.

I now fee a lot safer and make sure all passwords are unique.

Unfortunately until something like this actually happens to you most people become complacent. 

And now, more than ever, as we're storing more and more stuff in the cloud it's vital to be careful. I only use services that provide 2-step authentication where I can.
 
If M$ had done any research about those attacked and the relative size of their social reach, they would have notified you. Seems really shortsighted.
 
Interesting story! Had this person used your account to contact Skype to make them aware of the vulnerabilities, or was it purely coincidence they patched it up the morning afterwards?
 
I used to use skype. Nowadays I only use Hangouts, I prefer them.
 
The problem with the two-step auth is when your'e out of the country without roaming services and can't receive text-messages. Now, of course that you can work-around it, but when you use your phone it's just too much hassle. 
Just happened to a good friend of mine a couple of days ago...
 
+Nir Alfasi you dont need SMS or internet conection if you download the Google Autenticador app.
 
Well, you should be using a stronger password than 'removed'. Tsk, tsk...
 
damn.  I had one of my hotmail accounts and some one sent me a link to a site that had my facebook username and password on it...
really bad stuff. 
 
Good to know. It's always discomforting when a big provider like Skype shows such security flaws.
 
The most disturbing part is that Skype didn't bother to fix this problem for months, and only when major blogs posted about it everything got fixed swiftly (I mean, how hard was it to not sent "password reset token" to the both email and client at the same time? really?).
 
Not that I never did, but after the recent hack at LinkedIn, I got even more serious using stronger unique passwords for each major site coupled with a good password manager like 1Passwors. 
 
It's amazing to me that they left Skype accounts this vulnerable, yet spent massive effort making the client app resilient to hacking -- primarily to prevent people from creating interopable products.
 
Lastpass, or it's brethren, is your best friend. Thanks for the update +Matt Cutts 
 
Lapse or not... Nothing is secured over the internet. You and your all data are vulnerable. That's the irony of information age as of now.
Viet La
+
1
2
1
 
It's funny. When I updated my last name on Skype, it did not accept it. The validation rule required at least 3 characters for last name. LOL.
 
My Skype account was hacked months ago. This guy refill my account using my credit card, then call someone from Maldives.

I don't understand why people with luxerious life at maldives would hack and use my account.

I reached out to Skype, they say they are sorry and they can't do anything about that. I ended up paying 30 euro for calls I didn't make...
eL pmpy
 
you always have more a secret admirer...!!!
 
It's not new. That security hole was reported a long time ago...!
 
The problem with Google's two-factor authentication is the apps-specified password. Anyone with your ASP can access your account with an Android 4 device. The stock browser in your Android 4 device will be very 'helpful' to automatically log into your Google account- all you need to do is to register your Google account with your ASP on your Android device.
 
well at least I now have an excuse for all the drunken tweets that may occur! "I was hacked by Russians, honest."
 
+Matt Cutts  I trust you reported this contact to your "secuirity officer" :-) though contacting an Ex NSA employee (even an intern)  has got to be the hight of stupidity either that or they where trying to use this contact as a form of social engineering to try and hack some of your more important kit.

Coudl also have been a KGB  Line X officer if one is being paranoid :-)
 
+Sergey Marchuk people use skype cos its better than G hangouts which to be blunt is crap (for the thinks peopel use skype for) you dont see Uncle Leo +Leo Laporte using Hangouts for guests do you
 
I would not expect someone of your caliber to admit to this, but I am truly thankful that you have shared this experience so that we may all benefit. You are a man of integrity - unlike the typical hacker.
 
I had no idea this was possible, and my team uses Skype all day long. Thanks for sharing.
 
Humm Timing is surprising as Skype just meged with MSN live messenger : hope this is not fake !
 
Mine had gotten hacked last year and ended up charging my credit card 40 bucks in credits from some guy in india or pakistan??  Sigh...so anyways...I only use mine to call out to non skype users. So I took off my credit card information just in case. Woke up this morning and just happened to notice that my skype account had gone from like a $2.40 to 0.  Looked and low and behold my email address had been changed to someone elses....grrr...I mean not nearly the loss as the first time but this is rediculous and I have never been contacted either.
dj slue
 
Mine was hacked on the 28th of Feb. I noticed 2 sperate charges today of 50 & 100 British Pounds. I had to upgrade my account in order to receive "Support" and then they asked me 7 different questions to change my password. Thing is I already had access to my account. So that was pointless. Then they refused to refund me saying the charges didn't happen. When I was clearly charged in paypal. I gave up on them. Contacted PayPal and they reversed the charges for me. 

I'm DONE with Skype. Wasted 3 hours on them today. and only took 15 minutes for paypal to fix it
 
Yeah I had to get my bank to fix my issue...they did give me my money....are their any other services that work like skype? Cheaply?
 
Just got hacked, unfortunately lost credit because of it, someone hacked it and called a conference in UK
 
Man all I can say is buy what you want then take your credit card off of it...I personally don't buy credits..I just get the call out feature which I pay for once a year. I'm starting to think for that it might be cheaper just to pay for magic jack....
Add a comment...