Skype says that it has fixed a massive security hole that meant accounts could be taken over by knowing nothing more than the user's email address.


First discovered two months ago, but only picked up on by news organisations today, the flaw forced Skype to temporarily suspend its password recovery service while the issue was addressed.

Skype said, in a statement emailed to IBTimes UK:

"Early this morning we were notified of user concerns surrounding the security of the password reset feature on our website. This issue affected some users where multiple Skype accounts were registered to the same email address.

"We suspended the password reset feature temporarily this morning as a precaution and have made updates to the password reset process today so that it is now working properly.

"We are reaching out to a small number of users who may have been impacted to assist as necessary. Skype is committed to providing a safe and secure communications experience to our users and we apologise for the inconvenience."

Skype suspended its password reset tool before we were able to test out the security flaw for ourselves, but The Next Web reported that it had been successful in breaking into and taking over several of its Skype accounts.

The Next Web explains: "When you use an existing email address to sign up with Skype again, the service emails you a reminder of your username, which is okay, since no one else should have access to your email.

"Unfortunately, because this method enables you to get a password reset token sent to the Skype app itself, this allows a third party to redeem it and claim ownership of your original username and thus account."

The flaw could have meant hackers getting easy access to users' conversation logs, contacts list, personal details such as their date of birth, and the use of any credit on the account.

IBTimes UK has asked Skype for more details about the problem and we will update this story when we hear back.