A Russian blogger posted a step-by-step guide on how anyone can take over a Skype account in six easy steps. All you need to know to get started is the primary email address on the account.
In the guide, the process of requesting a password reset and locating the temporary key is incredibly simple. The steps are easy enough for anyone (even someone without programming knowledge) to do.
The vulnerability appears to stem from a combination of head-scratching vulnerabilities within the Skype platform. Not only does it allow you to essentially create a new account with the same email address as an existing account, but also to grab a password reset token from the application itself. This is all you need to take over someone’s account and view their entire IM history.
For now, it appears that Skype has temporarily disabled password resets to prevent this vulnerability from claiming any additional victims, though there’s no telling how many people have already been affected by this hack, or whether or not Skype has a way of detecting and removing the ghost accounts used to overtake the primary Skype accounts.
How to Protect Yourself from Attack
As noted by the blogger, the best way to protect yourself from attack is to change the primary email address on your Skype account to something new, and delete any trace of the address you used to register the account.
In other words, add a new address to the Skype account, set it as primary, and delete the original address. These appear to be the only steps presently able to protect your account from this vulnerability.
It’s always good practice to change your password every 30-90 days on any cloud-based service in order to prevent any unauthorized leak of your password from compromising your personal information.
You should also never use the same password for multiple cloud accounts. For example, the password you use with Skype shouldn’t be the same one you use for Steam or Google. Even a small adjustment such as changing the first letter of your password to match the name of the site you’re logging into can be enough to throw off any would-be hacker. This may not protect in this particular case, but once someone has access to an account, it’s only a matter of time before they gather enough information to have an impact on another part of your online life.