When I logged into Skype this morning, I received a message from an old colleague/friend I still occassionally chat/lunch with:
...] xxxxxx: http://goo.gl/3RVgvc?32017=[myusername]
Now, obviously I would never click on this (please don’t click on it either!), as it immediately rings several alarm bells. A quick investigation with a URL expander proved my suspicions: it leads to referral spam/survey website.
What struck me as odd, was that this friend ‘knows his stuff’ and would never let himself be tricked into participating in these scams, click on random links, fall victim to trojans/malware, etc.
As soon as he came online, I pointed out out that there might be something wrong with his Skype account. He immediately jumped to action and quickly determined that his system was squeaky clean. Even more importantly, his computer was, in fact, turned off at the time of this message. This left us with three options:
- Maybe his Skype-account had been brute-forced? This seemed extremely unlikely, as he uses a randomly generated strong password (everyone should)
- LastPass had been compromised. This was also exceedingly unlikely, as this would require an additional strong password and posssession of his Yubikey… (really, he knows his stuff ;))
- So, that left us wondering if something was up with Skype…?
He contacted Skype support and the transcript(*) was interesting, to say the least:
Arlene Joy R: at 8:52:14 - Well actually, no one hacked your account Arlene Joy R: at 8:52:27 - Thank you for bringing this to our attention Arlene Joy R: at 8:52:49 - we are actually aware of this concern, where links are sent to all of your contacts Arlene Joy R: at 8:52:57 - this is the spam virus Arlene Joy R: at 8:53:17 - Let me assure you that Skype is already on top of this situation and we’re doing the best we can to rectify this. You: at 8:53:15 - sorry my computer was turned off at time of spreading You: at 8:53:30 - how can the computer sent links if it is turned off and nobody has my password? Arlene Joy R: at 8:54:04 - yes that is correct there are cases that it was sent even if you are not logged in on your computer
This was followed by the Skype Support Engineer giving instructions to unlink all applications to Skype(**), wiping all of Skype’s application and temporary files and the chat history.
Update 1: another friend also reported receiving the same message.
So, does anyone have an idea what’s going on?
Update 2: a Microsoft/Skype engineer contacted me to figure out what was going on.
Apparently this is a known issue with Skype accounts that might have been linked to e.g. old Hotmail-accounts, or a disconnect (no synchronization) between an old Skype password and an MSA password. In short, if your password to one of these old accounts is compromised, it can also be used to login to Skype. Yes, you read that correctly: you can have multiple working passwords for one Skype account/username!
Thanks to Microsoft for contacting me about this. I’m not sure how I feel about the principal possibility to have multiple working passwords for a single Skype account, but at least it’s good to know how to mitigate this issue if you’ve been affected.
TL;DR: If you’ve used Skype for many years, it might be linked to old Microsoft accounts (e.g. Hotmail): make sure you are using strong passwords for those old accounts to prevent malicious logins on Skype as well.
(*) transcripts were cleaned up and reformatted for legibility
(**) Messenger+/MirandaNG: only worked locally and weren’t compromised either