UPDATED: Skype suspends password resets in wake of account takeover fears

Password and username box
14 Nov, 2012

Messaging giant responds to reports that email security flaw could leave users exposed to attack.

Skype has suspended its password reset procedures following the discovery of a flaw that could let hackers access an account by guessing a user’s email address.

To take advantage of the flaw, a hacker would simply need to create a new account using the victim’s email address and request a new password.

The password reset token is then sent to the hacker, via the Skype client, allowing them to take control of the victim’s original username and account.

The security hole could be used to lock people out of their accounts, access their chat logs and use up any paid-for credits they may have.

According to a report by The Next Web, the problem was flagged to Microsoft-owned Skype by Russian security researchers two months ago.

The firm acknowledged the issue in a blog post earlier today, adding that it was working on a fix.

“As a precautionary step, we have temporarily disabled password reset as we continue to investigate the issue further,” the blog post stated.

“We apologise for the inconvenience but user experience and safety is our first priority.”

It is thought, before the company stepped in, the only way users could protect themselves against the problem was by using a separate, hard-to-guess email address for their Skype accounts.

In a follow up statement to IT Pro, Skype claimed only a small number of users had been affected by the issue.

"This issue affected some users where multiple Skype accounts were registered to the same email address. We suspended the password reset feature temporarily this morning as a precaution and have made updates to the password reset process today," it said.

"We are reaching out to a small number of users who may have been impacted to assist as necessary...and we apologise for the inconvenience."

Read more about