Skype has fixed the loophole allowing accounts to be compromised with little more than an email address, claiming that only “a small number of users” may have been impacted by the flaw. In a new statement, the Microsoft-owned VoIP company said that it had “made updates to the password reset process” after temporarily blocking the feature in response to the alert.
According to initial reports, the hack was facilitated by Skype’s handling of new account setups which, paired with the way account recovery was managed, created a way for third-parties to change the passwords of existing users. By attempting to create a new account using an email address already used by an existing user, Skype would give a reminder of that existing username.
A second stage to the exploit allowed the password to be reset by the interloper. If the targeted user was not paying attention to their account, they could find they were locked out and their Skype credit – as well as the cloud-hosted chat logs from the past few months, which Skype offers no way to delete – were accessible by a third party.
“Early this morning we were notified of user concerns surrounding the security of the password reset feature on our website. This issue affected some users where multiple Skype accounts were registered to the same email address. We suspended the password reset feature temporarily this morning as a precaution and have made updates to the password reset process today so that it is now working properly. We are reaching out to a small number of users who may have been impacted to assist as necessary. Skype is committed to providing a safe and secure communications experience to our users and we apologise for the inconvenience” Skype
However, Skype is yet to comment on suggestions that the Russian hackers who initially identified the flaw alerted the company several months ago, but received no acknowledgement of the issue. We’ve reached out to Skype for further comment on the allegations.