Is your Skype or O365 account at risk?
Yes, even with complex password and 2 factor authentication.
If you prefer to read the short version of the story, you can cut to the bottom for the page
I am a pretty careful person, I use LastPass for my professionnel accounts, all with 12 digit auto generated complex passwords, 1Password on my Mac with a family account for our private passwords, I have 2 factor authentication on my Last pass, I never click on suspicious links or photos, have Sophos live running. use MS365, so I feel pretty safe.
A few days ago, I woke up and got a message from a friend, "did you send me something by skype?". I knew I did not and immediately logged in my skype account and started to see the history of all my contacts getting this strange link. It was too late to stop anything, I immediately send a second message in FULL UPPERCASES to make sure it would be seen before the other one. DO NOT OPEN OR CLICK, THIS COULD CONTAINS A VIRUS.
I immediately disconnected all my network services like drop box, etc... and tried to change my password on the Skype account but this time it did not accept to do it in skype as previously and instead redirected me to my Microsoft account. The last thing I wanted to do then was to type my MS account credentials in what I thought could be a compromised account. So I turned off my computer, removed it from the network and started thinking about possible ways I could have been infected. There was not many possibilities, apart from clicking on a wrong link I could not think of any other solution, but I had not used skype in over a week. And what about this skype redirecting me to an outlook account?
This is actually what got me thinking that my skype account is from very early stages in 2000, I never changed it and when Microsoft in 2011 bought skype I received a message asking me to link my Skype account to a Microsoft account for increased security. I did not want a microsoft account but they mentioned hotmail was fine and I had an old personal hotmail account that I rarely used and linked it with that one. In 2000, an 8 digit password with upper and lower cases and some funny signs and digit gave you all the protection needed, and as current practice, that was my single complex password for private accounts like Linkedin, hotmail and Skype.
A couple of years later, some hacking happened in large group like Linkedin, webservices, Yahoo etc... so it became important to increase the password strength and to reserve one different password per account. You can't physically do this with complex passwords for each of your accounts without having a centralised repository where you would write them all down, but this defeats the purpose of security if it is not safe and encrypted.
This is when we acquired LastPass where you can store all your passwords encrypted, access them through the Cloud and possibly share with people working on same accounts. And so we did reset all password, including Skype with a strong 12 digit password. And that's how it has been running since. We did not include that hotmail account that I was not using anyway. Wrong move...
Microsoft, for an unknown reason had registered the 2 different skype account credentials to access the same account, you could access through your Skype account with user name and password but you could also login with your microsoft account and password, which was not mentioned anywhere. Worth, you could even log into your microsoft account with your Skype credentials. So even if you implemented in Skype a strong authentication with as recommended 2 factor authentication, the whole purpose was defeated by Microsoft having left untouched the old credentials of the microsoft account linked to your Skype and there was no information about this situation.
And this is what happened to my account. I had a strong password to access Skype and felt completely secure but Microsoft had kept old credentials from my hotmail account, unused for over 6 years, as another login mechanism into skype. I have researched this extensively to understand how this could have happen and found a series or articles, including MS support talking about this issue but not resolving it. here are some extracts, you can click on the link for the full article:
I spoke to a Microsoft employee, on condition of anonymity, who had a Skype account breached recently. The Microsoft employee had used two-factor authentication, but hackers were able to log in using an old Skype username and password combination. I even tested this on my own personal accounts, and I was able to log into my Skype account with an old password despite linking it to my Microsoft Account months ago. I thought I was protected by Microsoft's two-factor authentication, but I wasn't.What has changed now? If you want to change your Skype password, you can now only do it through your Microsoft account, so at least your credentials are updated on both accounts at the same time. There was recently a MS provided mechanism to unlink your accounts but it is now currently suspended, without any explanation.This situation is similar to mine but the old unused skype account allowed a hacker to get in his Microsoft main account which is fact is much worse.
This is an article announcing how combining your account will improve your security, however if you read the comments below the article, example from Matthew Steeples, it is not so brilliant!
What the blog fails to mention is that if you’ve already done this (a few years ago when it was first available) then the default security is actually rubbish. I combined my accounts a few years ago, and enabled Multi Factor Authentication a few years ago. This week my account was compromised from Indonesia because this new feature (to let people sign in to your MS account with Skype credentials) was enabled by default _and_ bypasses MFA. Needless to say I and my contacts were not impressed!This is even more messy with people who migrated to MS 365 as to create your O365 accounts you were also required to create a MS Account and they are both linked to different privileges.Same reverse situation where Skype broke the security of Microsoft accounts
This is an interesting article explaining how complex Microsoft has made the line between private and business account, forcing everybody to own both.
Everyone can and should have a Microsoft account. It is an email address and a password; it might be your primary email address, or it might be a Hotmail or Outlook.com address. (You can use the Hotmail or Outlook.com address for email, if you choose, but you don’t have to – you might only use it to log into other services.) The Microsoft account can be used to log into a Windows 8 computer and it gives you access to online file storage with Skydrive, as well as a host of other services.Separately – separately! – subscribers to Office 365 business plans have an Office 365 account. It is an email address and a password; it might be your primary email address, or it might be (yourname)@(business).onmicrosoft.com. The Office 365 account is used to log into your mailbox (either in Outlook or in webmail) and other Office 365 services. It may also be the account that’s associated with your business subscription to Microsoft Office.
Is this clear? Not really, you will need to read the whole article (older version) to understand the differences, and it might be difficult.
To cut a long story short
If you had before 2011 a Skype account and a Hotmail or a Microsoft account, and you merged them when Microsoft asked you when their acquired Skype that year, you have created in their security systems, 2 sets of credentials, one for each account.
You might have a few years later upgraded one of the two into a strong and secure two factor authentication account like for your important email account and maybe left the other one weaker, as it has less importance or you might not really use it.
A couple year ago Microsoft decided to make your life easier so they introduced their single sign on where one account could allow you to log into all other services from Microsoft, and they enabled both your existing login to be used as a single login, by default, for all accounts, without warning.
As a result, your carefully build security went down the drain, as the weakest sets of credentials suddenly allowed anyone to bypass your security and access your other accounts, and some discovered this the hard way...
So while everything was quite fine for a few years, one day Microsoft made it possible by default to use both credentials, and in my situation, an old medium weak set of credentials from my hotmail received the privileges to bypass the strong login implement on my Skype account, and this by default without questioning the risk they had created, nor telling anyone.