Should You Change Your Skype Password to Avoid a Spam Attack?

Andre Infante 23-07-2015

For the past three weeks or so, complaints have been trickling in that some Skype accounts are messaging diet pill and pornographic spam to their contacts. It’s not clear how many are affected, although the complaint thread is now 24 pages long. Now, Microsoft is asking users to change their passwords, although there’s still some ambiguity on the original cause of the issue.


When is Spam Not Just Spam?

Normally, when you get spam from a friend’s account on any messaging platform, it’s because a malicious third party got access to the account, either by guessing the password or by using malware to steal the information Viruses, Spyware, Malware, etc. Explained: Understanding Online Threats When you start to think about all the things that could go wrong when browsing the Internet, the web starts to look like a pretty scary place. Read More from the user’s computer. In these cases, the correct answer is to alert the friend and have them change their password (if you are the inadvertent spammer, it’s steps can be taken to resolve this Are You Spamming Your Email Contacts? How to Find Out & Fix the Problem Spam is annoying, but what happens when your email account is the one sending it out? Find out how to recognize the signs and defuse the problem. Read More ).

If a bunch of these cases start to pop up simultaneously, that’s an indication that there may be a broader, systemic problem at work. In other words, the platform itself may have a security flaw that allows attackers to steal login credentials. For example, if attackers gained access to the master list of password hashes What All This MD5 Hash Stuff Actually Means [Technology Explained] Here's a full run-down of MD5, hashing and a small overview of computers and cryptography. Read More from Skype’s servers, it’d be relatively easy to begin cracking those hashes. That would give access to millions of accounts with easily guessable passwords. If that is indeed what happened, then – again – changing your password is the right answer. However, this also requires action from Skype to address their internal security vulnerabilities.


However, there’s some reason to believe that this isn’t the case. In the original complaint, the user mentioned that the compromised Skype contact looked back through his Skype history and couldn’t find the origin of the messages, indicating that they might have been “spoofed” – in other words, the spam might be due to a flaw in the Skype client’s ability to tell who messages are originating from, rather than an actual breach of password information. If so, that’s alarming – and changing password information won’t help.


Microsoft’s Response

In the thread, a Skype Community Manager, “Claudius” suggests,

“It could be that the malicious software that sends out the spam (but hasn’t been detected by malwarebytes or antivirus yet as it in itself doesn’t do anything malicious apart from spamming Skype) is actually using the Skype Desktop API to send out the IM spam.”

However, this seems to run counter to user reports of computers sending spam when the machine is turned off – and affected users don’t report seeing an entry in the Skype Desktop API access list. It also seems unlikely that none of the available anti-malware resources 10 Steps To Take When You Discover Malware On Your Computer We would like to think that the Internet is a safe place to spend our time (cough), but we all know there are risks around every corner. Email, social media, malicious websites that have worked... Read More would see anything. In response to this, “Claudius” changed the official explanation to this:

“Sorry it has taken us a few days to get back to you while we investigate the spam issue some of you have experienced. Our investigation indicates that cybercriminals are using an automated technique to exploit weak or re-used passwords. We have taken steps to address the issue and will continue doing so while we monitor the situation.

We encourage our users to use strong password and have some more information and help at Also, if you are continuing to experience spam issues, please change your password and you should see spam taper off in 24 hrs.”

This explanation raises more questions than it answers. A number of users report using strong passwords How to Create a Strong Password That You Will Not Forget Do you know how to create and remember a good password? Here are some tips and tricks to maintain strong, separate passwords for all of your online accounts. Read More that were breached anyway. Others report spam continuing despite changing their passwords.

This also doesn’t explain the sudden increase in these issues. It’s pretty safe to assume that pretty much any widely used piece of software is under attack from spammers pretty much all the time. So what changed here, to cause such a spike in reports of compromised accounts? A quick search of Twitter, plus the length of the thread, seems to indicate that this is not a few isolated incidents.


Is Skype Secure?

We know that Skype’s developers both prior to, and after Microsoft’s purchase, have put a lot of effort into enabling you to control privacy on Skype Use These Skype Privacy Settings to Secure Your Account Is your Skype account secure? Do you have the best privacy settings configured on your desktop or mobile Skype app? We look at how to secure your account when using the popular VOIP service. Read More mobile and desktop versions. So it is safe to say that managing this situation is a priority for Microsoft, with Skype one of its crown jewels.

However, it’s not entirely clear what’s going on with these spam attacks. It’s possible that Microsoft is correct, and this is not a Skype problem. However, this requires a fair number of users to be mistaken or dishonest, which seems at least a little unlikely. If there is a more fundamental security vulnerability within Skype itself, then the current issues could be the tip of the iceberg. For now, reports of spam continue. Hopefully, more information from Microsoft will be forthcoming.

Have you been affected by this issue? Are you upset by Microsoft’s response to it? Let us know in the comments!


Image Credits: Spam via Shutterstock

Related topics: Microsoft, Online Privacy, Skype.

Affiliate Disclosure: By buying the products we recommend, you help keep the site alive. Read more.

Whatsapp Pinterest

Leave a Reply

Your email address will not be published. Required fields are marked *

  1. Meowstic
    September 8, 2017 at 10:26 pm

    It's server based. It cycles through all skype accounts in alphabetical order, hitting all of our contacts one after another, also in alphabetical order.
    Once it hits the end, it starts over. Whatever they are, they've got server level access, and we're all just being spoofed to send these. It's been happening for years, and M$ refuses to do anything about it. Just further ruin the software with garbage nobody asked for.

    Currently, my last spoofing spam messages are baidu links with usernames appended to them.

    I think the link auto-parsing that skype does now is what's making this worse, because to parse it, the link has to be sent, and LOADED by M$ and to us. So, the spam/spoofing attacks are just mindlessly bruteforcing account names until it literally runs out of characters.

    What if this parsing is giving the spammers click/view revenue even if we don't click it ourselves?

  2. Skype Spam Victim
    January 20, 2016 at 7:10 am

    I have just been 'hit' by this spam attack. Twice in 1 week. The first time friends started notifying me they were receiving spam from me via Skype. I checked the Microsoft Recent Login Activity page and noticed 8 logins from the USA, while I am not from the states.
    I changed my Microsoft password and activated 2-step verification. Thought I was covered.
    But this morning friends started texting me again about spam. And they were right; I was sending out spam again from Skype.
    I now realised that I can login to Skype in 2 ways: using Microsoft and using Skype. So now I also changed my Skype login credentials. Hope it's solved now.

  3. Anonymous
    July 24, 2015 at 2:47 am

    maybe a hacked password manager service? or a malicious browser extension for skype?