Every now and then here on the Skype Community we see another wave of reports from customers saying that their Skype account sends unwanted spam instant messages to their contacts including links to Baidu, LinkedIn or other popular online services. Please follow all the following steps to learn how to act on these and take back control over your account:
Is your antivirus scanner up to date? Your firewall still active? Malware scanning doesn't find anything? This is to ensure that no keylogger or other backdoor is transmitting your password input to bad people somewhere else.
If you have a Microsoft account (e.g. you sign in with either email or phone number) and you never linked a Skype name to it before September 2016: Simply Sign in to your Microsoft account, then select Security & privacy and then select Change password.
If you linked your Skype account with your Microsoft account in the past: there are still two passwords that grant access to your account. The best way to consolidate your passwords is by opening https://account.microsoft.com and sign in with your Skype name and password there. If this is the first time for you signing in since October 2016 you will be asked to update your account. More information in the article One account for Skype and your other Microsoft services - NB: After you have updated your account going forward there's only one password giving access to your unified account.
Now to updated your password (and possibly your account as well) secure it by setting up two factor verification: https://support.microsoft.com/en-us/help/12408/mic
I didn't even use Skype while the spam messages were sent? / I haven't signed in to Skype for ages? / I was only signed in to Skype on my mobile phone and the device was always with me?
The spammers obtained your credentials and signed in from another computer at any other place in the world to send out the spam messages. They don't need access to your device or even you to be signed in to send their spam.
How did the spammers obtain my account password(s)?
Over the past years unfortunately data leaks of user credentials (emails/usernames + passwords) have become somewhat of a regularity. If you have been re-using credentials across multiple services then just one service leaking your data will compromise these credentials everywhere else. You can check if your username or email was part of any recent popular leak on the following website: https://haveibeenpwned.com/ - If you see the message "Oh no — pwned!" you should update your password everywhere you use this username/password.
Even if your information was not part of a data leak your computer or a computer you used your credentials on - in internet cafes, at a friend or family shared computer, even at work - could have been compromised by malware and your password information gotten into the wrong hands that way. That's why two factor verification/authentication is a powerful tool to enhance your security.
But I checked sign ins via the /showplaces chat command?
The output of this chat command does not list currently signed in endpoints reliably. Instead it lists all endpoints registered to receive notifications, e.g. for incoming calls. This list largely overlaps, but the output is not a reliable indicator. After you have updated your Skype account to a Microsoft account (see Step 2 earlier) you can use the "Recent Activity" report though: https://account.live.com/Activity
Any comment on the fact that the spammers bypassed 2FA by using obsolete logins that shouldn't even exist anymore?
And how can I change my Skype password on my merged accounts when the website always redirects me to changing my Microsoft Account password, even though the two are not the same thing (which in itself is a security nightmare)? Is this achieved by logging into the account page via my skype credentials?