The Really Really Short Version
If you don’t have time to read the full post below, these are the minimum steps you should follow to secure your Skype account:
- Visit https://account.microsoft.com
- If already signed in, sign out
- Sign in with your Skype account (old Skype username, not email or phone number)
- Follow the bouncing ball to completion
For the most complete fix, and a little background, read on.
There has been quite a peak of spam on Skype this week, involving compromised credentials.
I received several spam messages from contacts of mine, all of whom were knowledgeable about IT security, and avid users of password managers and two factor authentication. The spam messages were simple links via Baidu or LinkedIn open redirect endpoints. The links had been tagged with my owner username, likely to give them info on whose accounts to target next.
After a little bit of digging, I found vulnerabilities in my own Skype account setup. I expect many people to be in similar position, based on Microsoft + Skype’s approach to account migrations over the years.
Impact and Risk
These vulnerabilities are simple to close. Leaving them open leaves you at high risk of being the source of embarrassing spam messages to your contacts, and potentially being locked out of your Skype account for good. (Skype accounts aren’t always linked to email addresses, making the password recovery process notoriously difficult.)
Long time users of Skype will have set up their Skype account under a username. Mine was tathamoddie. The sign up flow never used to prompt for an email address or phone number. (It does now.)
After Microsoft acquired Skype, they added support for ‘linking’ a Microsoft account to your Skype account. This allowed me to login to my Skype account via my Microsoft Account (firstname.lastname@example.org). Anybody who has used the Windows 8 or Windows 10 apps for Skype will have been encouraged down this path.
Linking a Microsoft account never prevented the Skype-based sign in.
Skype accounts have never supported two-factor authentication.
Skype accounts are actively being compromised via simple username + password authentication, with no second factor validations in play. Skype are stating that this is most likely due to credential re-use, however I know of one IT security professional whose account was compromised despite using a unique password that was always stored in a password manager. Considering the simplicity of Skype’s overall approach to authentication, and their rather broad range of client APIs, I’d postulate that there’s some brute forcing in play as well, or there has been a credential leak.
Microsoft are on a mission to merge all of their identity platforms: consumer Microsoft accounts, work or school accounts (OrgId / AAD), and Skype accounts. It’s a mammoth effort behind the scenes.
As part of this process, they’re supporting the use of multiple ‘aliases’ for each account. These are essentially multiple usernames. This allows you to login using your email address, your mobile number, or your Skype username. They’re rationalising down to one password and one approach to proofs though.
Last week, Microsoft/Skype launched the latest migration push:
Today we are excited to announce that you can now use your Skype Name to sign into other Microsoft services like Xbox, Office and OneDrive. If you have any questions or want to find out more, please visit our FAQ.
Based on the migration experience, I don’t believe that there’s any way to use an old Skype account to compromise a Microsoft account by bypassing MFA controls, however it doesn’t hurt to hurry up and close off the old login vector now. That’s exactly what we’ll do to apply this security fix.
Ensure that you know your Skype username:
- Visit https://secure.skype.com/portal/account/settings
- It’ll show your Skype name near the top
Convert your Skype account into an additional alias for your Microsoft account:
- Visit https://account.microsoft.com
- If already signed in, sign out.
- Sign in with your Skype account (old Skype username, not email or phone number).
- You will be prompted to upgrade your Skype account to a Microsoft account. Follow this process to completion.
At this point, you’re back to a single password, and your Skype account is no longer a sign-in vector of its own. Your Microsoft account’s multi-factor authentication is now effective in protecting your Skype account.
Disable excess sign-in aliases on your Microsoft account:
- Visit https://account.live.com/SignInPreferences?amru=proofs%2FManage
- Disable as many sign-in aliases as you can, especially ones that you don’t commonly monitor. I disabled my Skype name, and just left my email address.
Let’s make sure it worked:
- Launch an InPrivate browser tab. It must be InPrivate, to avoid a cookie stamp they would have left in an earlier step post-account migration.
- Visit https://go.skype.com/myaccount
- You should encounter a Skype-based login screen, served from https://login.skype.com:
- Try entering your old Skype username.
- You should get redirected away to the Microsoft-based login screen, served from https://login.live.com
If you’re redirected away, then you’re all done.
If you weren’t redirect to the Microsoft-based login screen at https://login.live.com, then something isn’t done yet.
Skype have posted some background information this week: