Biggest Microsoft Security Lapse in Recent History – Skype’s achilles heel
Table of Contents
Yet again I come to you with rant, but this time seems like the reason is Microsoft’s huge lapse in basic Skype account security. Probably like mst of you, I have created my Skype account Many years ago.
About a week ago a message popped up on my phone (where Skype is installed also) saying that my account is now suspended. Surprised, I followed their instructions to fill out Microsoft support “Un-suspend form”. That only prompted email 24 hours later requesting an even Bigger un-suspend form for me to fill.
I of course suspected potential Skype account compromise from the beginning, but checking history of access in my Microsoft account showed no unusual activity. I have switched to using my Microsoft user the moment Microsoft started the migration from Skype to Microsoft accounts.
This ridiculous cycle continues now for 3 or 4 times at least. I fill out same Un-suspend form that Skype support emails me, and they email me same form link again 24 hours later, asking me to fill it out. Worse yet, it is clear that they aren’t even trying to read anything I write, as every time they say “be sure to request password reset”, which is not at all what I need! I fully know my password and confirmed that it’s fully secure!
So I took a step back and analyzed things further and the only logical conclusion is that Microsoft is STILL allowing login to Skype using 10 year old credentials that existed before Microsoft accounts! Worse yet, Even for users that already migrated away from using Skype login, the old Insecure password!
I am pretty sure that by now, with so many industry compromises, old insecure passwords some of us used 10+ years back are “Floating” out there for sale or otherwise. For Microsoft to allow that old login to still be active is borderline Criminal! There are no indications in one’s Skype account that old Skype credentials stay active, nor Ever any requests to update/replace that old password yearly. To confirm my theory I in-fact tried to login with those old insecure credentials, only to see that I do still go through and face the evil “Account Suspended” message!!!
Skype provides no customer service phone number to contact, not even Chat support. Their email/forms to fill out only return after 24 hours or so, and as mentioned, no-one even tries to read what I put on that form. Truth is, there isn’t much for me to fill out in that form. It asks what month and year did I open my account – would any of us remember? It also asks about any financial transactions I made with Skype, which I never did (since other VoIP services were always cheaper and more convenient, working from real phones). It asks for date of birth, which I never submitted to Skype as even back in a day I registered I already was concerned with online security. It asks for billing address, which they obviously don’t have because again – I never paid for anything. So that form is fully useless, of course, as seems to be their whole customer service. Sadly, Microsoft is probably paying good money for that “offshore support” (responses always come at night), but obviously they don’t have any iota of understanding how to actually provide it or even when to know to escalate to someone who can help.
I will update this post if something develops, but meanwhile – here’s something you should do Right Now. If you have registered like me, Many Years Ago, go to Skype.com and see if there is any way to change/disable any old credentials you may have used before switching to secure Microsoft account. If there isn’t any way to disable that old insecure login, at least see if you can change that old password to some jumble of letters and digits, that won’t be easy to crack as our 1999 passwords used to be…
UPDATE: I was finally able to restore my Skype access. It is as I suspected, the old Skype account is still active “underneath Microsoft account”, even if you never use it. Please ensure it has complex or even “random jumble” style password. Furthermore, looks like Skype’s own password policy has been greatly improved over the years and my old password was Not Even Nearly secure enough to meet their current policies. However, there was never an alert to change it, not a single email reminding me that old password is too short or too old. Nor any notice ever came out when new device in Africa logged into my account – not a single email on that. So Skype seriously needs to update their security practices, and so should we all.
Comment by Savas Papadopoulos on 2015-05-18 10:30:34 -0500 #
I stopped using Skype on the desktop many years ago due to security concerns. The webcam came on/off when Skype was online but not connected to a call. Anti-viruses wouldn’t find any issues.
Then I checked using netstat -n and it listed dozens of live connections while the camera was going on and off.
Unfortunately I wasn’t able to remove this malware and had to format the drive altogether.
When I don’t need video I use Skype to Go with a regular phone. Otherwise the tool stays off the computer unless I want to make a video call. And even if so, I wouldn’t use it on a production machine. It has too many security issues for over a decade now and no one is taking care of it.
Perhaps these security issues aren’t really a side effect at all 😉