Christy's Corner

If you are a Skype user, and you haven’t turned off your old Skype alias (i.e. your old username), this is how you can improve your Skype account security. Microsoft is not proactive about telling Skype users about the security vulnerability that comes from continuing to use old Skype usernames. This security vulerability can be exploited by hackers to take over your account even if you are using the newer linked Microsoft account's improved security questions, and even if you are using two-factor authentication!

Here’s how to fix the Skype username/alias security hole.

1. Log into Skype via a browser
2. Go to Account Settings (bottom of the screen)
3. Where it says Microsoft account, if you see an URL to link your Skype account to a Microsoft account, follow the link. (If you don’t see this URL but instead see that your account is already “Linked”, skip step 4 and go to step 5 and log in to your Microsoft account.
4. Microsoft will present you with a screen to sign in. Make a new account and create it with your preferred email address. It won’t be the same as your old Skype username (a non-email address), but you can make it the same as your primary Skype email contact. Fill in the answers to any questions for the setup process. Once you have finished, you will be in your new Microsoft account. You should be at the following URL, https://account.microsoft.com. You may also see live.com along the way; this is also a Microsoft domain.
5. At this point, you should be logged in to https://account.microsoft.com. If you don’t see the Account info page, pull down your username button in the top right and go to view your account info.
6. Select “Security”. This will present you with three options: Change Password, Update Info, and Review Activity. If you haven’t updated your password in years, you should update to something more secure that has never been exposed in a database breach. You can Review Activity if you want to check to see if someone else has been trying to get into your account. The one we’re going to focus on for the alias fix is hiding under Update Info. Click in.
7. At this point, you may get prompted to confirm you are you. It will present you with your email options (partially obscured) and phone. Select your desired contact, get the security code, and confirm you are you.
8. Finally, you will be able to see the actual Security Settings on your account. This should include at least one email, preferably more than one. You can also put your phone number. If you want to change or add any emails, select “Add security info”. The phone option will give you the chance to choose text or voice, so you don’t have to feel restricted if you have an old fashioned non-text phone here. The tool will walk you through a standard verification process - delivering a code to the desired email or phone for you to input and confirm.
9. After you’re satisfied with your settings, you can go into “Change alert options” to configure where notifications go. I figure the more, the better, when it comes to security.
10. Finally, and this is critical, go to the “more options” URL cunningly hidden at the bottom of the Security settings page. It’s subtle, isn’t it? You really have to be looking for this stuff. Bad layout, Microsoft!
11. You will be presented with a number of additional security/recover options.
12. Here, set up the Recovery Code. The tool will generate a long code. PDF the email and maybe even print out a hard copy. Save the info somewhere you’ll be able to find it in five years if you need it!
13. If you have a smart phone, consider setting up the verification app.
14. Now, to fix the alias issue. Click “Manage sign-in options”. You’ll be promted to provide your password again before getting access.
15. You should see two options. The first will be your new primary account, an email address. This will be checked and grayed out, meaning it is fixed and can’t be changed in this window. The second will be your old Skype username or alias. Disable the checkmark next to your old Skype username!
16. Save your change.
17. If you like two-step verification, you can set that up here. If you opt to use it, remember that you can’t use the online recovery form if you need to in future and you may be more restricted if something does lock you out of your account, and if you lose access to your recovery device such as your phone. Bear in mind, that if you don’t turn off the old Skype alias, even if you install two-step verification, a hacker can still get into your account using old info!
18. Back in your Skype application, you will need to log out and then back in under the new Microsoft account email. Because you’ve disabled the old Skype alias, you will no longer be able to log in that way. (Likewise, if you have the alias enabled, which is the default state after merging the Skype and Microsoft account, you will still be able to log in the old way. This leaves your old account open for exploitation by a savvy hacker!)

That’s it for disabling the old Skype alias. The Microsoft account will also give you options for other mundane tasks like changing your profile picture, name, sign-in email, phone numbers, etc. For example, if you need to change to a new email address for your actual login, this is where you do it. It appears that you can even set up more than one email for logging in. If you do change to a new email at some point, you should make sure you clean out any old email addresses (and phone numbers) that aren’t active anymore, and of course recheck your alias settings in the security settings to make sure they don’t present future back doors.

It’s also worth noting that some of the Skype settings are still held separately from the Microsoft account, such as billing, so you will probably need to continue doing maintenance to those features back in Skype. But security and password management appears to be handled from the Microsoft side where they’ve tried to unify control.

How did I get the idea to write this post? My husband’s skype account got hacked, and because the account was so old, Microsoft’s automated recovery mechanisms failed to work on recoverying it even though we had the original email address tied to the account. I tried for three days to recover the account without luck. During that process, I learned about the gory history of Skype security flaws and the completely useless customer service Microsoft/Skype provides to users who get hacked or otherwise locked out. If you have one of these old Skype accounts that you still use, even occasionally, you should take the extra step to disable the old alias. Be sure to update your password to something new and secure. And make sure you take advantage of the newer security recovery features, because if you fail to set them up, there is literally nothing you can do to get back in if you lose access. And heaven forbid if you have credits or money in there - you’ll have to cancel your credit card and say goodbye to your active credits if you get locked out by a hacker. Skype won’t refund money.

Before this experience, I was a regular Skype user and had a paid subscription, due to cheapness and convenience. I’ve now decided to abandon the service, and will opt for using Facetime or Facebook’s calling feature instead.

References:

From 2017:

"For those users that linked their Skype accounts to Microsoft accounts, the former Skype password is still activated. This leaves a security hole that can be used to break into your account and use it as you would.”

https://www.onmsft.com/news/skype-accounts-are-getting-hacked-and-its-a-problem

From 2016:

"The Microsoft employee had used two-factor authentication, but hackers were able to log in using an old Skype username and password combination.”

https://www.theverge.com/2016/11/8/13561024/microsoft-skype-baidu-linkedin-hack

From 2012:

"Skype has disabled its password reset capability after hackers discovered a serious security hole that could let anyone take control of an account by knowing its email address.”

https://www.theguardian.com/technology/2012/nov/14/skype-password-account-hack-reset