July 25, 2015

This story is a warning to all Skype users. Don’t repeat my mistakes. Change your password before it’s too late. Or just stop using Skype.

TL; DR: If a scammer knows your Skype password, there’s absolutely no way to get your account back. Microsoft doesn’t care about Skype, and Skype doesn’t care about you.

It’s evening, almost everyone in the office has already left. I’ve just finished my work and I am ready to go jogging. Hmmm, weird, Skype just logged out itself. Trying to log in—fail. I start to suspect the worst but refuse to believe. I log in with my Microsoft account and see that “I” have been asking my contacts to lend me ₽15,000 (≈$256). “I” am not a bot. “I” speak human and respond naturally:

It’s in Russian, because I am Russian. What’s happening here is basically “me” saying Hi and asking for a favor: lend me a couple hundred bucks until tomorrow. BTW, “₽” above means Russian ruble.

Of course, I immediately notify all contacts that I’ve been hacked and rush to change the passwords.

And here’s where the fun begins.

Catch 22: Enter Your Password to Change Your Password #

There’re three official ways to log in to Skype now:

using Skype name and Skype password, using Microsoft account, and using Facebook.

All three should give the same access to the same account, but reality is more complicated.

The scammer knew my Skype password. To be fair, it was a pretty weak password. Like many others, I created the account a long time ago when I didn’t bother making up a strong password.

Using the Skype password (way #1), the scammer logged in and changed the password and primary email.

I, having been logged in with my Microsoft account (way #2), cannot change the Skype password or primary email. But I can for example edit payment methods, which he can’t. So, there’s no “main” account—there’s always something that one can and the other can’t do. One user—different permissions.

It’s getting absurd: the only way to change the Skype password is to enter the Skype password:

“Hey, look! There’s a link to reset your password!” I here you say. But this link actually points to the Microsoft password reset, not Skype:

I spent a day just figuring out how all this account mess works.

So, I can use my account, but so does the scammer. No too satisfying. Thanks God there’s support, always ready to help.

Hello, You’re Talking to a Robot #

As the scammer changes the password, I receive an email: “If that was not you, immediately contact us!” I follow the link from the email and I am notified that my request will be processed within 24 hours. After I fill the form, the waiting time goes up to 72 hours. I guess, I should contact them immediately, but they don’t have to reply immediately.

To get support, I must verify my identity. Verification means filling out a huge form with a lot of questions, some of which are impossible to answer. Do you remember the year and month you created your Skype account? What email did you use? I know it was like seven years ago and God knows what email I used back then.

I gave every piece of information I could possible collect, and waited. I described the situation in every detail and specifically noticed that I am logged in with my Microsoft account. To make sure, I sent a couple more forms.

I received the first response Saturday evening. An automated message informed me that I failed to pass the verification exam and no one will help me. Bad, bad customer!

Note these useful suggestions: create a new account and log in with the Microsoft account. Obviously, no one bothered to read my request. The bureaucracy at Skype is working great—there’s absolutely no way to contact a living human and get your request properly handled. I sent them a photo of my passport in reply, and it was simply ignored. Passport is enough to identify my when crossing a border, but not for Skype!

I received five more identical responses during Saturday and Sunday. I failed to prove to Skype support that I was myself.

No idea. There’s no other way to contact the security support team, and this way obviously doesn’t work. I’m writing these long and detailed requests that all seem to go straight to the trash bin. They do not reply on Twitter, Facebook, or per email.

I’d be happy to verify my identity by sending a blood sample. Unfortunately, I don’t know the address.

And the scammer is still using my account.

You know, I understand it’s my fault. After all, my password was weak. But am I that guilty? Is my crime really this heavy? Resetting a password never was this painful. Skype has a terrible account policy, and it’s the customers who have to deal with it.

All this pain could be easily avoided, if only Skype checked sessions like Google does. Or allowed to easily reset the password. Or did not silently redirect me from one account to another. Or let me speak to the support team. Or did not require me to painstakingly prove that I am myself. But Skype doesn’t do any of these things.

I don’t think I will get a response from Skype or Microsoft. They made it quite clear that they don’t give a toss. This article is a warning. Change your password now, because there’s nothing you’ll be able to do when it’s lost.

UPD

This post caught attention of the official Skype Support Twitter account. My issue was resolved in 10 minutes.

So, in the end, it all could have been solved quickly from the start. The verification forms are a total waste of time.

I’m lucky to be able to speak English, so I could state my point clearly. But think about thousands of Skype customers who lose their accounts silently, unable to get any support.

Although my account was finally retrieved, the situation remains bad: Skype’s dual entry account policy is a huge security breach, and the service is useless.

I spent 4 days on what could have been fixed in 10 minutes. Skype, why not offer good support from the start?

UPD²

Today, one of my verification forms finally was approved! The only problem, it happened the next day I already retrieved my account. Face. Palm.

They blocked my account and sent the instructions to reset the password. So, they didn’t believe me when the account really was stolen, but now, when it’s not, they suddenly believe me. Skype, maybe something is indeed wrong with your verification process, don’t you think?

97 Kudos