A security researcher that uses the online moniker TibitXimer claims that Skype accounts can be easily hacked by social engineering the company’s support team. He came to this conclusion after his own account had been hijacked six times in a single day.
TibitXimer says that accounts can be taken over by anyone who knows 3-5 of the victim’s Skype contacts, their first and last name, and an email address that was used for the instant messaging application at any point.
With this information, anyone can allegedly trick Skype support into handing over access to an account. “Due to my account being stolen (not hacked) through Skype my account was used to scam people out hundreds of dollars along with damaging my reputation for my product's security due to thinking I had low security on my Skype account or email address, when in reality, it was Skype Support's fault my account was stolen, multiple times, and had nothing to do with End-users (me in this case),” the expert said.
Around three hours ago, one Skype representative responded on the thread posted by TibitXimer on the community forum. He says they’re investigating the matter, but denies that Skype accounts can be hijacked as easily as the expert described it.
He immediately contacted Skype to report the issue, but the company’s reply wasn’t what he had expected.
“Skype CS is looking into your case. Our unlock policy does in fact require more than just the information you have quoted and we are checking where the failure happened during the required steps of verification,” the Skype representative wrote.
“I understand your frustration and we are constantly revising our process to ensure your account access is blocked to malicious users while at the same time valid password recoveries still make it through.”
One individual has told Softpedia that he has also successfully tested the method on his own account.
“What I find disgusting is that they refused to take any accountability, and were adamant that it wouldn't happen again if I read a document telling me to update my antivirus and stay clear of phishing sites, which is ridiculous as per the fact the account was given away by the Skype support representatives,” he explained.
“Realistically there is no way to secure your Skype account, and a lot of money is being scammed by people accessing certain people's Skype.”
In the meantime, Skype representatives have made the following statement:
“We take the security of our customers extremely seriously, and have been making ongoing enhancements to help protect customers. We have processes in place that would help protect against password reset scenarios such as this, and our customer support agents remain available to help customers as needed.
We encourage customers to use Microsoft account to log into Skype, which helps make their accounts more secure using two-step verification. For more information about individual accounts, customers can contact Skype by visiting: https://support.skype.com/en/faq/FA1170/how-can-i-contact-skype-customer-service.”