My Skype account was hacked, it was sending spam containing Baidu links

I consider myself quite “hack proof” when it comes to web. I use Password Manager, I don’t use same passwords (but I used to). I never open files that I receive in mail. If I need to do something really critical I have virtual machine that I boot up that runs plain Linux with no extras installed. But still I got hacked… how is this possible?

Background

Last Friday around 14:45 while working on my Mac, I suddenly started to get messages from many of my contacts saying: “What is this link?”, “Hi JP, long time…”
I started to look previous messages and I saw a link to Baidu. I panicked. I signed off from Skype immediately and started to think what the h…. has happen? My first thought was a malware. But I have not installed anything special recently. But I immediately started full virus scan and took computer out of web. I opened my Windows machine and started to Google answers. Strange thing was that I was not allowed to delete Baidu links from my message history. Usually in Skype I am able to delete messages I send. This sounded fishy as it looked like it is not actually “me” who send those messages.

So what happen?

After Googling I found online many comments and posts dating all the way back to 2015 having similar experience with Skype. One of the best threads I was able to find was in Skype forum in Security, Privacy, Trust and Safety -channel.

It turns out Skype and Microsoft are having a critical issue as hackers are able to log in into out Microsoft Accounts using Skype name and Password without Two-Factor-Authentication. This is for all “non merged” accounts (Remember, Microsoft bought Skype and then decided to merge logins with Microsoft). Skype login’s are added to the Microsoft account as a login option without informing people and “Enabled” it by default.

I was using my @outlook.com account to login to my Skype on my computers and phone. But there was still the original Skype username “jpkeisala” enabled with full access and I had not changed password of that username for ages. This same username used to be a username that I was using for many services back in the day. So I look at which sites has been hacked by https://haveibeenpwned.com/ and https://www.leakedsource.com/ and yes… Quite a few.

Ok, now I was sure that this is not malware but hacking. So I went to check https://account.live.com/Activity for susipcious activites and report to support page.

skype-hacked-from-buenos-aires
Bingo! I have not been Buenos Aires, Argentina. Someone is using my login.

So, now I have to change my password and find out how to avoid this in the future.

Solution

Based on my empirical investigation, you (probably) don’t have malware or virus, your username and password is hacked and spam links are sent from web and not from your computer. You need to reset password on Microsoft and deselect Skype name.

Secure your account

  1. Login into https://account.microsoft.com with your Microsoft Account
  2. Go to “Security and Privacy”
  3. Under “Account Security”, select “More security settings”
  4. Under “Sign-in preferences”, select “Change sign-in preferences”
  5. Deselect “Skype name”
  6. Press [Save]
  7. And if not already done, enable “Two-step verification”
  8. In https://account.microsoft.com/ Change your password.

Clean up spam messages

To clean up spam from your contact you can go to web.skype.com, it’s possible to delete messages there. I had ~200 contacts and I had to clean them up one by one. Phew…

I will update this post if I still have issues.