Early this morning a huge security hole was discovered within the Skype password reset process, essentially allowing anyone to easily change your password and take full control over your account. Crazily, the issue was first posted on a Russian website two months ago, and went widely unnoticed until the hole was revealed by The Next Web early this morning.
The exploit was fairly easy to reproduce, even leaving TNW not being able to link to other blogs that explain how the exploit was executed. Basically, while the exploit was still live, the only way to protect yourself was to change your Skype-connected email to one that no one knew.
Thankfully, Microsoft — which acquired Skype in March of last year — has since addressed the issue. The following is the statement to TNW, in which Skype explains:
[quote_box author="" profession=""]
Early this morning we were notified of user concerns surrounding the security of the password reset feature on our website. This issue affected some users where multiple Skype accounts were registered to the same email address. We suspended the password reset feature temporarily this morning as a precaution and have made updates to the password reset process today so that it is now working properly.
We are reaching out to a small number of users who may have been impacted to assist as necessary. Skype is committed to providing a safe and secure communications experience to our users and we apologize for the inconvenience.
Skype basically says in this letter that although the exploit was live for a long time — as far back as two months ago on a Russian forum — the hole only had a negative impact on “a small number of users.” The company did act quick when The Next Web first reported the issue by temporarily disabling the password recovery feature, but has now fixed the problem completely. They now plan to contact any and all members who they detected to have been exploited using this feature and assist as necessary.