The story of my Skype account getting hacked
I have a Skype account, but I don't use it that often. In mid-November, I got 3-4 emails from Skype in Russian. I get a lot of email, so I didn't bother to translate them. Then I got this email:
"I am a researcher in the field of security. Unfortunately Skype support does not respond to a message about the vulnerability of their systems. You quadrupeds person and may be able to influence the situation.
I apologize ... Your password from skype account - [removed].
I also examine the security of your systems. If you're interested, I can send you the results.
With best regards...."
That's an interesting email to get. The next morning, http://thenextweb.com/microsoft/2012/11/14/security-hole-allows-anyone-to-hijack-your-skype-account-using-only-your-email-address/
reported that Skype had a security hole that let anyone hijack your Skype account using only your email address.
Skype fixed the hole and issued a statement saying "We are reaching out to a small number of users who may have been impacted to assist as necessary." I literally only use Skype when I'm a guest on This Week in Google (see http://twit.tv/twig
), so it wasn't until today that I tried to log in. Sure enough, my original password didn't work.
Some quick thoughts:
- As always, it sucks to get hacked. I've talked to a lot of people who have had their website hacked, and it really feels like a violation. In this case, I had a month of distance and the attacker sent me the new password, so it wasn't really that stressful. It does suck that it was Skype's fault though--the best security practices in the world don't help if the vulnerability is on the provider's side. If I had any money stored with Skype, I'd feel more angry and disappointed.
- I'm doubly disappointed that Skype said that they'd reach out to users who were impacted, but they never reached out to me. Are there other Skype users who were hacked that Skype hasn't notified or helped?
- On the other hand, I'm not that angry at the "security researcher" who hacked my account. He emailed me to let me know the new password, which is about as polite and good-mannered as you can expect from someone hijacking your account.
Account security matters. In this case, the hack was out of my hands. But it's still a good idea to use protection like two-step authentication: http://support.google.com/accounts/bin/answer.py?hl=en&answer=180744
. Also, don't forget to use a PIN or unlock pattern on your cell phone.