Late last night, Skype sent me an email letting me know that they had successfully changed my email address to firstname.lastname@example.org and I should visit my account to review my changes. Except I didn’t change anything. And What?
Thanks entirely to the amazing Jon Galloway who contacted people on my behalf, I was able to get back into my Skype account. We still have a lot of work to do securing everything else, because one victory isn’t going to stop these hackers from coming after us.
While this conclusion is really great for HTG, I do feel bad for all the people who reached out to me about their hacked accounts and don’t have a well-known website. To help prevent this from happening to you, make sure that you enable two-factor authentication for all of your accounts, and that you use strong passwords as well.
The rest of the story continues below…
I happened to wake up in the middle of the night because our baby is teething, and checked my email before going back to bed and saw this. The first thing I tried was logging into Skype… no such luck. Couldn’t log in. The password had been changed, and I couldn’t recover the password because the email had also been changed.
The account isn’t mine anymore, it’s now owned by some hacker.
My Skype account was protected with a very long, unique password. So how did the hacker get access to the account and then change my email address to something else to lock me out?
The only logical way we can think of: Skype support gave the account away.
I don’t have any proof that Skype gave the account away, but I still control the original email address, and it had a unique and very long password that was only for that account. There are no traces of a password reset email or anything else like that. So how would they have gotten access otherwise?
It’s worth noting that Skype does have two-factor authentication if you use a Microsoft account. This Skype account was so old that it didn’t have a Microsoft account behind it.
The Hacker Tries to Use More Social Engineering to Get To Our Servers
After waking up and trying to get the account back, I started getting strange messages on Slack from our writers about conversations I never had with them. The hacker was (well, is, because I still don’t have my account back) trying to use social engineering to trick HTG writers into giving up the SSH accounts to the servers, or give them access to WordPress.
This isn’t new, we’ve had a bunch of threats in the last year, and a lot of hacking attempts. So far we’ve been able to hold them off, and this is the first time they’ve managed to get access to something.
The conversation above went on and on, but thankfully Chris Stobing is a smart guy, and didn’t fall for it. They were pretty convincing though, and everybody in my list got a similar message from them.
And Now, Skype Won’t Fix the Problem and Give the Account Back
I don’t know how much more clear it needs to be that the account was hacked than “email@example.com” as the address they changed it to, but I went through the long process of filling out the form on the Skype website to get my account back and reverse the changes.
And then I got an email saying they can’t verify my identity and so they won’t even “check the status” of my account.
The account was created years ago – I still have the original email that I got when I created the account. I’ve got the exact date, and a bunch of other details, but I don’t use Skype enough to have a credit card on file. And more importantly, I still have access to the original email account that was used to sign up for the account! Why would Skype allow this to happen? Why can’t I get my account back?
Dear Skype support: Is this enough verification?
So, bottom line: The official How-To Geek Skype account is now owned by hackers because as far as we can tell, Skype support gave it away and now won’t even look into it to give it back.