Skype Security Breach Forces Microsoft To Suspend Password Resets
A recently discovered security hole in Microsoft’s Skype platform has forced the company to halt the ability to change passwords. The security breach was posted on a security forum by Russian hackers nearly two months ago.
The security breaching method involves the user’s password and the company’s simple password request form, which then allows access to a user’s account. Hackers have used the system to lock out an account’s real user.
Breaching the Skype platform was a simple task. The hacker attempting to gain access to another users account created a new account with the target’s e-mail address; they then performed several changes and used the password reset token without needing to access the user’s real e-mail account.
The approach allowed anyone to create a new account for an e-mail and then switch to the target username.
Microsoft has pulled the plug for the moment on Skype password resets for fear that its new integration with the Microsoft Account system could have caused major security issues for Windows 8 users. The new OS asks users to sign in with their Microsoft account rather than a local user account.
Microsoft engineers say they are working on a solution that will allow them to reactive Skype password reset requests. In the meantime, anyone who has forgotten their password is temporarily out of luck.
The company has not revealed how many accounts may have been breached because of the hack. Once password resets are enabled again, users are being urged to choose a new password to safeguard their account.