Skype hack steals accounts with nothing more than your email

Nov 14, 2012

A Skype security flaw could allow rogue users to seize control of your account using nothing more than your email address, thanks to subpar recovery policies that can be easily gamed. The exploit depends on Skype’s policy of reminding new sign-ups of any existing usernames they have previously registered, when they attempt to re-register using the same email address. According to The Next Web, with a minor amount of tinkering, it’s possible to reset another user’s password and thus grab hold of their account.

Although a signed-in user will be able to see when somebody else attempts the hack, they would need to react fast in order to actually prevent themselves from being locked out. If they were not logged in at the time, or not paying sufficient attention, then they could have their Skype credentials usurped – along with any credit on that account – without them even realizing it had happened.

Skype is apparently conducting an “internal investigation” into the loophole, though for now there’s no official comment on when it might be closed off. The hack was first reported on a Russian forum roughly two months ago, it’s said, with the person responsible for discovering the exploit claiming to have told Skype about it with no apparent change in recovery security.

For the moment, the best advice is to change your registered email in the Skype settings to something that might not be associated with your account. That reduces the likelihood, though we’ll need to see a change in how accounts are handled by Skype itself before the hack is closed down for good.

Update: More complete instructions for the workaround can be found here, courtesy of Reddit:

Log in on skype.com
Go to the profile, click Edit and add an email address an attacker won’t guess. (Or [email protected] if you’re using Gmail)
Click Save
Click Edit again, set the new address as Primary
Click Save, enter the password and click the Enter button
Delete the old email

Update 2: Skype has given us the following statement:

“We have had reports of a new security vulnerability issue. As a precautionary step we have temporarily disabled password reset as we continue to investigate the issue further. We apologise for the inconvenience but user experience and safety is our first priority”

Previous articleLeaked image purported to be Galaxy Axiom smartphone

Next articleEverQuest II launches new expansion called Chains of Eternity

Magic Keyboard Case for iPad Pro just had its price slashed

The Google Pixel Tablet just took a big step closer to release

Hackers wiped out this popular tax prep software as filing deadline looms

Best Buy launches recycle-by-mail program to safely dispose of unused tech

Mobvoi’s Wear OS 3 update might not arrive until later this year

I think I just found the perfect ChatGPT iPhone app

7 WAYS SOFTWARE SOLUTIONS CAN IMPROVE YOUR BUSINESS

If you can’t stand ads on Instagram, you’re going to hate this update

These Android apps are spying on you — and there’s no easy way to stop them

Our 5 favorite iPhone and Android apps by Black developers

I tested the Galaxy S23 Ultra and iPhone 14 Pro cameras. Only one is a winner

Oppo Find N2 Flip vs. Galaxy Z Flip 4: things just got interesting

The Most Popular VPNs: Ranked

Mobile App Vs. Mobile Website: A UX Comparison – Which Is The Better Option?

Using the Snapdragon 8 Gen 2 showed me that 2023 phones will be monsters

How to stop spam calls on iPhone and Android phones

How to use ChatGPT on your iPhone and Android phone

How to connect your Samsung Galaxy Watch 5 or 4 to Peleton

How to customize watch faces on a Fossil Gen 6 smartwatch

How to control your privacy settings on Strava