I think the reasonable explanation until otherwise disclosed is that the vulnerability only impacted Skype login credentials. The Skype username shows as an alias on a linked Microsoft Account and more than likely with the recent login changes the Security Alert feature triggered for the linked Microsoft Account in general - so what previously would have not triggered this enabled the notification and locked impacted accounts. The activity log shows a Skype login as the culprit for me with my Skype "alias"
Honestly linked Skype to Microsoft Accounts should rely on the Microsoft Accounts password for Skype logins and not historical Skype passwords.
I wont completely rule out a data breach, but the activity log data from most people I have spoken with backs up the above theory.
Indeed it is an reasonable explanation but it does not help much. The standard procedure to have your account fixed is to login to https://account.microsoft.com with the "Skype ID" and corresponding password. BUT as accounts are hacked and not accessibele anymore or have changed passwords by the hack - people are not able to log in with their "Skype ID" and password - and there is no way to reset the password.
I tried all solutions and ended up with a support call. All options ended in either - change ms account password - or - deny password change because 2-factor is enabled on ms account. The problem is, i cannot disable 2-factor because it has a huge impact (i use authenticator app on Windows phone) - Disabling 2-factor temporary locks me out on all my devices - and thats no fun with everything bitlockered. And it's a huge exercise to enable it again.
So I am in a authentication circle which cannot be broken otherwise then let it be solved by Microsoft.
Although a solution would be to be able to unchain my Skype account from my MS account.
I agree its an uncomfortable situation - and as someone who works in the "field" I understand both sides.
After spending sometime reviewing and discussing with colleagues who ran into a similar issue I calmed down. It bothers me that my Skype account was compromised but my Microsoft Account is the only thing I care about in this situation and ultimately I don't believe that was impacted.
Skype had a feature that allowed you to create a password if you had a Microsoft Account created Skype Account for "legacy" devices so somethings with this transition are not as neat as they should be but when the dust settles I hope it`ll be the annoyance of a Skype login issue rather than a full on back-door vulnerability.
So it had never happened to me before but that's it, last evening I saw that this link was sent to all my contacts at 6 am ha ! I wasn't even awake at that time. I got an email from Microsoft during the day telling me that someone might be using my account and that I should change my password but I thought it was a spam so I didn't pay attention until I logged on Skype. On Skype it also sent the link to people who were not even on my Skype list but who I believe were from my Gmail account. So I changed both my Skype and Gmail passwords, we'll see what happens. Btw, it doesn't seem that stupid to me to check for malwares, I mean malwares could find registered passwords on a computer, couldn't they... ? I wonder. I have read in this thread anyway that changing passwords hasn't necessarily helped.
Anyway good luck to ye!
PS. For those who are not sure how to change their Skype password, this is how I did it : when you are logged on Skype (on a computer), if you go to "Skype" on the top left there's the option "change password" > you are then redirected to a link to change the password. Hope it helps.
Can someone tell me if their skype account still sent the links after they done the following:
How much time did it take to sent the links to all your contacts after you've clicked the link? For me there is already 15 hours and nothing happened so far. I checked my activity and for now there is nothing wrong there.
I wanted to close my Skype account but unfortunately is linked with the MS Account and I can't unlink them. I would rather avoid of closing my MS Account but if it is what it takes to solve it then I'll do it.
If Skype can still get hacked after all those precautions then MS has a big security hole.
It happened to me without clicking the link (had seen other links sent by two contacts but not this one), I believe it might be the same for most of us.
It's most definitely some type of malware. If you've got malware, it doesn't matter how many times you change your password, they could use keyloggers or simply find the file where the password is stored (caching, skype saving it for auto-login etc.). Take the following steps to resolve:
1. Google for and install Malware Bytes it is a free antivirus program (or at least has a free trial) that will detect most things. Just install and run the most thorough scan you can. There is more info on how to do this.
2. Some malware reside in the temporary directory, would be poorly designed ones, but they still show up, so clearing the temporary directory might help. Simply press (windows btn) + R, and type in %tmp% and you'll get an explorer window with lots of weirdly named folders and files. All of these inside this folder can be safely deleted. You might get warnings about system files, these files can also be safely deleted. You might also get warnings about files being in use, simply skip those files.
3. Get a better antivirus program. If you use Norton, shame on you. If you use Windows Defender, doubly shame. Get a real program, preferably one you pay for. I would suggest Kaspersky or Bitdefender. If you're looking for free solutions I've always used AVG, it's a safe bet. Avast! might work as well, but I haven't used it a lot.
4. Change password. Now you are ready to change your password. Change it good, change it well. A tip for a strong password is four words of 3-5 letters length each, randomly selected, with spaces between. Drop in some symbols and the like and you're golden, though it is not 100% necessary.
5. Extra security. Enable two factor authentication. Log in to your microsoft or skype account and there might be more info for you there (I haven't done it myself)
6. Don't be stupid. Stop clicking links that you don't know what they are. Don't download "free this or that coins" anywhere, at any time, for any reason. It is always a scam. Stay away from plugins to skype. Do your research when downloading programs. And last but most important, DO NOT log in on links sent to you. Always, always go to the site (for example skype.com) log in there, and then see if you can reach the page on the link that was sent to you. Websites are smart and keep your login session, so you should never have to log in twice. If you do, it's a scam, stay away!
Hope this helps people. Please stay safe kids!
Ok, got similiar issue today (an hour ago).
Got AVG installed, nothing found. Malwarebytes didn't found anything too.
On mobile - AVG + Malwarebytes: clean.
What's going on?... And why i cannot delete this message?