• Hey, guest user. Hope you're enjoying NeoGAF! Have you considered registering for an account? Come join us and add your take to the daily discourse.

Someone logged into my 2FA secured Microsoft account through a Skype backdoor

Fortinbras

Member
Sep 12, 2007
2,709
33
1,060
Yesterday I got a text message from Microsoft that informed me about suspicious activity regarding my Microsoft account. I immediately logged into my account and noticed that someone in China had logged into my account successfully the day before.

Thankfully nothing was changed. I updated my password and checked if any money was missing. There wasn't.

I was surprised because I always used unique ID/password combinations and I didn't use the same passwords on different services. For some services like Xbox I use an email which I don't use anywhere else. I always enable two factor authentication if available. Both my Microsoft account and my Gmail were secured with 2FA since the day Goggle and Microsoft started offering these security options.

I started looking through the whole activity log and noticed several failed login attempts in the last two weeks. The hacker never used my email (Microsoft ID).

I searched Google and saw that this is happening to Skype users since August.

Simply put it is possible to log into a Microsoft account via a Skype alias, bypassing 2FA completely.

This can happen when your Microsoft account is linked to a Skype account. All the old Skype login information still works after the accounts were linked. To secure your Microsoft account you have to deactivate your Skype alias manually.

The Verge explains it better:
http://www.theverge.com/2016/11/8/13561024/microsoft-skype-baidu-linkedin-hack

Even after checking my emails on haveibeenpwned.com I have no idea how someone got my Skype login.

I don't even know what to say to this. I guess: Check your accounts!

EDIT: Go to
https://account.live.com/Activity

If there's something suspicious, read the Verge article.
 

etta

my hard graphic balls
Mar 24, 2015
12,712
3
0
The hell, Skype is pretty huge in business, strange how Microsoft overlooked it.
My account doesn't use it as an alias thankfully, but they gotta fix this asap what the hell.
 
Jan 25, 2014
3,705
0
0
I got an email yesterday and I change my password and activated 2SV. How do you check which device(s) have attempted to try and access your account?
 

Fortinbras

Member
Sep 12, 2007
2,709
33
1,060
The hell, Skype is pretty huge in business, strange how Microsoft overlooked it.
My account doesn't use it as an alias thankfully, but they gotta fix this asap what the hell.
They do not acknowledge it. Why fix something that isn't broken?

German media is picking this up very slowly. I actually found the Verge article through a German news site.
 

Joni

Member
Aug 11, 2007
30,093
0
0
My House
The hell, Skype is pretty huge in business, strange how Microsoft overlooked it.
My account doesn't use it as an alias thankfully, but they gotta fix this asap what the hell.
Skype for Business is something separate, according to what people on GAF have learned me.
 

OrochiJR

Member
Jul 2, 2014
472
8
500
Vienna
Just checked and in the last months I had unsuccessful log-in attempts from China, Brazil and Iran. WTF.

My Skype account sent some spam messages some months ago too, this may be related. I changed my password back then and changed it again right now just to be safe.
 

Easy_D

never left the stone age
Jan 5, 2008
23,623
2
0
Checked, "Recent Activity 2 minutes ago". T'was me. Nothing else seen on the account page. Granted I did block that port that lets the Skype backdoor work in the first place.
 

Podge293

Member
Feb 4, 2015
2,414
1
0
Someone did the same to me. MS locked the account though and rang me about it. Seems they used my Skype name as Access.

There is somewhere in settings to turn off alias being used. 100% recommend this as this doesn't seem to be 2FA

Edit: seems it was mentioned but solid advice anyways
 

EmiPrime

Member
May 16, 2013
10,085
2
405
Thanks OP, what a glaring error on Microsoft's part. To think that my account could have been compromised because of a 12 character password I made 4 years ago, bypassing my 50+ character password and 2FA!

In a way however it confirms just how important a unique password is. Looking at my account activity I have had scumbags from all over the world try to get into my account every week through my skype alias and yet a simple 12 character password that looked something like Yg2DbKsi%M3, has kept them out all this time just because it wasn't used anywhere else.

To be honest I am quite pissed off about this and I wasn't even compromised.
 

InsaneTiger

Member
Sep 28, 2013
6,698
0
425
Skype for Business is not the same Skype you're probably thinking.

I have it at work, works more like Lync.
 

Smidget

Member
Jun 12, 2004
2,569
0
1,260
35
Orlando, FL
OK so I linked them properly, now how do I deactivate the Skype alias? Or now that they both show up they are safe under 2FA?
 

n0razi

Member
May 1, 2014
4,791
672
560
Thats why I never link accounts... not Facebook, not Spotify, not even XDA forums.
 

ROUGE_BLOCK

Member
Jul 8, 2014
2,478
0
300
The Chinese are looking into my account? Why do we have so many services tied to something as vulnerable and easy to hack as an email? We got to the point where financial information is tied it amongst a brevity of other personal info for accounts seemingly anyone with the knowledge and time can get into.

Like why is my login into Windows 10 my email? What purpose is it to have a communication application be tied to the security of a personal computer? Or a console? I mean in what world would someone want their computer and gaming device connected by the same password for an account that is tied to financial info?

However I have to use these services regardless so I'm pretty much stuck to it. However I would love for Windows 11 to give the option of just a password for getting on a computer again that wasnt tied to my email. However there is more likelihood of a monkey jumping out of my butt tomorrow.
 

Szeth

Member
May 13, 2014
414
0
0
So I'm a bit confused. If I don't have any other aliases at that link, just my email, then I don't have to do the merge thing from the verge article? Or do I have to merge to be able to see the option and de select it?
 

JP

Member
Mar 7, 2010
6,737
170
0
Damn, that's pretty bad. At least it;s a relatively easy fix for people who haven't had issues with it.
I have Unsuccessful syncs from Ukraine, Bulgaria, US...and unsuccessful sign-ins from Taiwan, US, Mexico....all in the past month.

Wtf.
I check mine fairly regularly on sites that it's possible to do that on. Over the past two days I have log-in reports from the UK, Israel, Check Republic, Australia and New Zealand. It looks bad but I do run everything through either a VPN or a double VPN if it's stuff that I absolutely need to be sure of.

Validating the log-in IPs is simple enough to do.
 

opticalmace

Member
Dec 8, 2008
14,633
0
0
Bay Area
Thanks for posting this. Apparently I had "linked" my Skype/MS accounts but not merged them... what a dumb ass system.

So I'm a bit confused. If I don't have any other aliases at that link, just my email, then I don't have to do the merge thing from the verge article? Or do I have to merge to be able to see the option and de select it?
The latter.
 

Quick Mustard

Member
Nov 18, 2011
2,333
0
0
Im confused.

My account shows it as linked on the Skype page, but on the sign-in Prefrences page it only shows two emails and not my Skype sign in ID.

Am I safe?
 

Fortinbras

Member
Sep 12, 2007
2,709
33
1,060
So I'm a bit confused. If I don't have any other aliases at that link, just my email, then I don't have to do the merge thing from the verge article? Or do I have to merge to be able to see the option and de select it?
You would have to merge to see the option.


Wow so many unsuccessful syncs
Does the activity actually say "successful or unsuccessful sync"?
 

EmiPrime

Member
May 16, 2013
10,085
2
405
Im confused.

My account shows it as linked on the Skype page, but on the sign-in Prefrences page it only shows two emails and not my Skype sign in ID.

Am I safe?
No, your accounts are just linked and that's what is getting accounts compromised. You need to merge and then the alias will show up in sign in preferences, following which you can disable it.

Go to https://account.microsoft.com, if you're already signed in, sign out.
Enter your Skype name, not your Microsoft Account email address, and use your Skype password to sign-in
If you've linked your Microsoft Account previously, you'll be prompted to sign-in and merge the accounts to create a Skype alias
 

dragoncdf

Member
Aug 22, 2012
83
0
430
I had 3 attempts to auto sync. one from Philippines,one from Bulgaria,and one from Chile. all were unsuccessful. don't even use skype.
 

Quick Mustard

Member
Nov 18, 2011
2,333
0
0
No, your accounts are just linked and that's what is getting accounts compromised. You need to merge and then the alias will show up in sign in preferences, following which you can disable it.
Ok, so Now I've merged them, I have two emails and the Skype sign in username under the sign-in prefrences.

Do I just untick that Skype login and I'm good?
 

ViciousDS

Banned
Aug 14, 2013
15,103
0
0
I just checked


HOLY FUCK, this is how hey got into my hotmail without 2FA last month. I started freaking the fuck out. Thankfully changed password immediately and nothing was changed for accessed

Sure enough alias is shown and was used for the login......god damn it. Fucking Microsoft
 
Nov 23, 2011
4,231
56
445
However I have to use these services regardless so I'm pretty much stuck to it. However I would love for Windows 11 to give the option of just a password for getting on a computer again that wasnt tied to my email. However there is more likelihood of a monkey jumping out of my butt tomorrow.
You can make a local account on Windows 10 which only exists on your PC, you don't need to tie a Microsoft account to it.

you will be missing out on all those sweet (lol) UWP games on Windows Store though
 

Fortinbras

Member
Sep 12, 2007
2,709
33
1,060
I just checked


HOLY FUCK, this is how hey got into my hotmail without 2FA last month. I started freaking the fuck out. Thankfully changed password immediately and nothing was changed for accessed

Sure enough alias is shown and was used for the login......god damn it. Fucking Microsoft
Think about it. If they get a successful sync they can download all your emails. It's unbelievable really.
 
Mar 3, 2011
13,481
0
740
No, your accounts are just linked and that's what is getting accounts compromised. You need to merge and then the alias will show up in sign in preferences, following which you can disable it.
Anyway to find out what my Skype name is if I don't remember? It's been years since I last used Skype.