At 12:37pm today, out of the blue, I got this email:
So, the funny thing about that email is that I requested no such reset. At the time, I was chatting to the plumber who was replacing my blown geyser element. Resetting my Skype password was the furthest thing from my mind.
I panicked, naturally, and got straight back to my desk, clicking that link to reset my password.
Now, every other system on the face of God’s green earth, since roughly 1990, will email you a link to reset your password if so requested. Skype is apparently too good for that – instead of just being able to plug in my registered email address, it gave me a 20-point questionnaire, including things like:
- What’s my name?
- What’s my email address?
- Name at least 5 contacts on your account
- When last did you make a Skype Credit purchase?
- Did you use a credit card, or PayPal?
- If it was a card, can you give a few of the digits?
- When did you register the account?
Color me surprised, right? I filled in as much as I could, and got a message saying that my request had been accepted, and I’d be contacted shortly.
That form? Exactly the same as the previous form, except this time on a Microsoft.com domain, and it had even more questions. So I filled that in too, getting upset all the while.
I’m not concerned about the credit on the account – it’s a couple Euro I can afford to lose. I’m not even concerned about not being able to use the account, since I barely use it anyway. I’m concerned that whoever’s done this will now use my account to spread infected URLs and other nasties (best case) or is a malicious hacker who is out to ruin my reputation (worst case).
I hit submit on the form and get this:
24 hours is more than enough time for a bad actor to do all the damage they’re going to do. If my account was set up for automatic recharge, that could include some financial damage too, plus I run the risk of my PayPal account suspended for fraudulent activity.
All of this could be avoided if Skype’s password reset policy wasn’t the loosest policy on the block. Apparently, to get a password reset, you just need a name, email, and up to 5 contacts on the account – not impossible to get from watching someone on Facebook for a bit and making some educated guesses.
As this gentlemen found out back in 2013: http://www.businessinsider.com/spammers-can-easily-hijack-your-skype-account-says-a-security-researcher-who-lost-his-account-six-times-2013-4
So I’m officially done with Skype. In the event I can recover that account, I’m messaging everyone on it where to find me elsewhere, and shutting it down. It’s insane that in 2016, a system as pervasive at Skype has worse security than a 9-year old’s secret handshake.
From now on I’ll just stick to systems that use two-factor authentication, and don’t just hand out free password resets to anyone that asks. I’ll keep my Contact page up to date.