Arrow of time
Arrow of time
So my Skype account was hacked today

About an hour ago I got a message from a friend that my Skype account has sent a suspicious-looking link ...

About an hour ago I got a message from a friend that my Skype account has sent a suspicious-looking link to Baidu. As I wasn't signed into Skype, and I only use Skype a few times a year (when scheduled via e-mail), that sounded strange. But it was true - after logging in into Skype, I was greeted by an "unread messages" count of a few dozen. And that was doubly strange as, since I don't use Skype that often, my Skype contact list is very short - maybe 10-15 persons, max.

If you are one of those people who have received a Baidu link from me, I hope you've been suspicious enough not to click it. Generally, please don't click on strange links which you have not previously requested, anywhere, from anyone.

After reviewing "recent activities" on the Microsoft Live platform (because Microsoft bought Skype and made it shittier, and half-integrated the products), it looked like there was a suspicious login from an IP address that the platform recognized as being located in Cambodia. So, it looks like my password was possibly brute-forced from Cambodia, then a hacking client has logged in with the brute-forced password and sent spam messages. This spam was a link which was basically disguised as coming from Baidu. But that's not all: BEFORE sending all this spam, the hacking client has somehow added a few hundred people from my Google contacts to my Skype contacts - including some very recent people.

That's the real issue: how did my Google contacts end up in Skype? I don't think it's a sophisticated enough attack that it could browser-scrape contacts, so it seems like it should happen in server-to-server communication between Microsoft Live and Google. I had 2FA on Google but I've only just added it to Microsoft Live. I'm not sure if there's some kind of "Import contacts from Google" option in Microsoft Live, but even if there is, I sure haven't used it in years, and probably never, and still there were few very recent Google contacts there.

Update: just got another idea from a friend: this could have happened through the phone apps, if the Skype app has access to Google Contacts. Which I've now checked and it does - naughty Skype! Bad!

Skype's user interface is atrocious:

  • I've found out that Skype has sent a bunch of messages to people who had not yet accepted the (hacked) contact request. This means that people I have no intention to contact via Skype have received spam messages from my account without even accepting the contact request. Why is this possible?
  • Because this attack has added hundreds of people to my Skype contact list, I now had to go manually through each of them and notify the people not to click on the links.
  • Skype does not allow multiple-select on contacts or conversations, so I had to right-click every single one, and choose "Remove from Contacts" or "Hide conversation" from the pop-up menu. This is so sad.

All this has reminded me why, still, in 2017., I still avoid both Skype and Microsoft's products.

So to summarise, what to do about such vulnerabilities? At least the following things:

While this doesn't guarantee you won't be hacked in a different way, at least it prevents one way of doing it and minimizes the damage such a hack can do.

Here's an insightful link another friend has sent me about Skype's security. Very much worth reading!


Can UBI be tested with Digital Currency?

This article on the discrepancy between consumers' lifestyle and deteriorating workers' rights has sparked a prodigiously long discussion on the ...

This article on the discrepancy between consumers' lifestyle and deteriorating workers' rights has sparked a prodigiously long discussion on the Futurology subreddit (where the usual median length of the discussion is somewhere around 10 comments). Such topics now regularly venture into discussing the merits of Universal basic income (UBI), which as an idea was practically non-existent in the mindset of two or so years ago. An offhand Read More


The Pirate party of Croatia - what went wrong

The context of this article is that it's a sort of a post-mortem written from my own perspective of ...

The context of this article is that it's a sort of a post-mortem written from my own perspective of what went wrong in the Pirate Party of Croatia, now that I've left it. I've been one of the founding members and after more than two years' work I must admit that the number of accumulated problems has surpassed the level at which we can be productive, and that I cannot aid in solving them. Simply put, people in general (at...

Read More