The vulnerability was discussed on a Russian blog about three months ago, but was only tackled after details were shared on news discussion site Reddit. The issue could have exposed answerphone messages, old text message conversations and user details including date of birth.
Skype said it had now resolved the issue. "Early this morning we were notified of user concerns surrounding the security of the password reset feature on our website," said engineer Leonas Sendrauskas.
"This issue affected some users where multiple Skype accounts were registered to the same email address.
"We suspended the password reset feature temporarily this morning as a precaution and have made updates to the password reset process today so that it is now working properly.
"We are reaching out to a small number of users who may have been impacted to assist as necessary. Skype is committed to providing a safe and secure communications experience to our users and we apologise for the inconvenience."
A how-to-guide was first shared on Russian forum Xeksec. It involves using a victim’s Skype-registered email address to create a new account which is also linked to an email account owned by the attacker. If a password change is then requested using the target’s username, the hijacker can access the resulting reset token via the Skype app itself using the newly-created bogus log-in.
This can then be used to lock out the account’s owner and access their details. Skype blanks all but the last four digits of stored credit card accounts preventing the hackers from being able to steal cash, however they could have used up spare credit.
The security hole was confirmed by The Next Web which subsequently brought it to Skype’s attention.