Skype Fixes Major Password Security Hole

Skype security hole allowed access to accounts with only an email address

ByABC News
November 14, 2012, 1:25 PM

Nov. 14, 2012 — -- It's not a good week for password security. Only a few days after Twitter reset a number of passwords because of a security breach, Skype also has had a password security problem.

Early this morning it was found that Skype's password reset tool had been compromised. Discovered by Russian hackers and first reported by the tech site the Next Web, all that was needed to get into a Skype account was a Skype user name and the associated email address. The typical security roadblocks between getting into an account weren't in place; it didn't ask a user to confirm an email address with an email or answer a security question.

In response, Skype, which is now owned by Microsoft, first disabled the password reset feature this morning. But by 11 a.m. ET it had made updates to the tool. It now assures users that it is working properly. Skype claims only a small number of users were affected.

"This issue affected some users where multiple Skype accounts were registered to the same email address," Skype said in a statement on its website. "We are reaching out to a small number of users who may have been impacted to assist as necessary. Skype is committed to providing a safe and secure communications experience to our users, and we apologize for the inconvenience."

Something different happened with Twitter earlier in the week. After an unknown website or online service compromised some accounts, Twitter users received an email notification asking them to choose new passwords. Twitter admitted that it reset more passwords than it should have. "In this case, we unintentionally reset passwords of a larger number of accounts, beyond those that we believed to have been compromised. We apologize for any inconvenience or confusion this may have caused," the company said.

Why is this happening? "The systems themselves can be compromised in a few ways. For instance, internally they might be missing patches that are allowing criminals to access servers," Robert Siciliano, an online security expert with McAfee, told ABC News. "You might have all the doors, but the locks are broken. With Skype and Twitter this week, they might have the systems in place, but they don't have the latest, greatest security to combat the certain attacks."

In this case, Siciliano couldn't offer any concrete user action, since this is really on the companies themselves. "It is beyond your control. If their systems are not set up properly, it really is buyer beware. Never assume these services, especially the free ones, have bullet-proof security systems."