• Hey, guest user. Hope you're enjoying NeoGAF! Have you considered registering for an account? Come join us and add your take to the daily discourse.

Someone logged into my 2FA secured Microsoft account through a Skype backdoor

F

Fortinbras

Member
Yesterday I got a text message from Microsoft that informed me about suspicious activity regarding my Microsoft account. I immediately logged into my account and noticed that someone in China had logged into my account successfully the day before.

Thankfully nothing was changed. I updated my password and checked if any money was missing. There wasn't.

I was surprised because I always used unique ID/password combinations and I didn't use the same passwords on different services. For some services like Xbox I use an email which I don't use anywhere else. I always enable two factor authentication if available. Both my Microsoft account and my Gmail were secured with 2FA since the day Goggle and Microsoft started offering these security options.

I started looking through the whole activity log and noticed several failed login attempts in the last two weeks. The hacker never used my email (Microsoft ID).

I searched Google and saw that this is happening to Skype users since August.

Simply put it is possible to log into a Microsoft account via a Skype alias, bypassing 2FA completely.

This can happen when your Microsoft account is linked to a Skype account. All the old Skype login information still works after the accounts were linked. To secure your Microsoft account you have to deactivate your Skype alias manually.

The Verge explains it better:
http://www.theverge.com/2016/11/8/13561024/microsoft-skype-baidu-linkedin-hack

Even after checking my emails on haveibeenpwned.com I have no idea how someone got my Skype login.

I don't even know what to say to this. I guess: Check your accounts!

EDIT: Go to
https://account.live.com/Activity

If there's something suspicious, read the Verge article.
 
E

etta

my hard graphic balls
The hell, Skype is pretty huge in business, strange how Microsoft overlooked it.
My account doesn't use it as an alias thankfully, but they gotta fix this asap what the hell.
 
F

falconxcrunner09

Member
I got an email yesterday and I change my password and activated 2SV. How do you check which device(s) have attempted to try and access your account?
 
F

Fortinbras

Member
etta said:
The hell, Skype is pretty huge in business, strange how Microsoft overlooked it.
My account doesn't use it as an alias thankfully, but they gotta fix this asap what the hell.
Click to expand...
They do not acknowledge it. Why fix something that isn't broken?

German media is picking this up very slowly. I actually found the Verge article through a German news site.
 
J

Joni

Member
etta said:
The hell, Skype is pretty huge in business, strange how Microsoft overlooked it.
My account doesn't use it as an alias thankfully, but they gotta fix this asap what the hell.
Click to expand...

Skype for Business is something separate, according to what people on GAF have learned me.
 
N° 2048

N° 2048

Member
Just checked if my Skype was linked and it says "due to ongoing changes linking and unlinking of Skype service is unavailable at the moment"

They are working on it hopefully?
 
OrochiJR

OrochiJR

Member
Just checked and in the last months I had unsuccessful log-in attempts from China, Brazil and Iran. WTF.

My Skype account sent some spam messages some months ago too, this may be related. I changed my password back then and changed it again right now just to be safe.
 
E

Easy_D

never left the stone age
Checked, "Recent Activity 2 minutes ago". T'was me. Nothing else seen on the account page. Granted I did block that port that lets the Skype backdoor work in the first place.
 
P

Podge293

Member
Someone did the same to me. MS locked the account though and rang me about it. Seems they used my Skype name as Access.

There is somewhere in settings to turn off alias being used. 100% recommend this as this doesn't seem to be 2FA

Edit: seems it was mentioned but solid advice anyways
 
E

EmiPrime

Member
Thanks OP, what a glaring error on Microsoft's part. To think that my account could have been compromised because of a 12 character password I made 4 years ago, bypassing my 50+ character password and 2FA!

In a way however it confirms just how important a unique password is. Looking at my account activity I have had scumbags from all over the world try to get into my account every week through my skype alias and yet a simple 12 character password that looked something like Yg2DbKsi%M3, has kept them out all this time just because it wasn't used anywhere else.

To be honest I am quite pissed off about this and I wasn't even compromised.
 
S

Smidget

Member
OK so I linked them properly, now how do I deactivate the Skype alias? Or now that they both show up they are safe under 2FA?
 
T

TechOne

Member
MS is aware of it. Hope they fix this loophole fast.

qn1dpBH.png
 
J

JaseC

gave away the keys to the kingdom.
TechOne said:
MS is aware of it. Hope they fix this loophole fast.

qn1dpBH.png
Click to expand...

Considering MajorNelson's acknowledgement is two weeks old now, I'd say the window on "fast" has closed. It's disconcerting that the issue wasn't made a top priority.
 
R

ROUGE_BLOCK

Member
The Chinese are looking into my account? Why do we have so many services tied to something as vulnerable and easy to hack as an email? We got to the point where financial information is tied it amongst a brevity of other personal info for accounts seemingly anyone with the knowledge and time can get into.

Like why is my login into Windows 10 my email? What purpose is it to have a communication application be tied to the security of a personal computer? Or a console? I mean in what world would someone want their computer and gaming device connected by the same password for an account that is tied to financial info?

However I have to use these services regardless so I'm pretty much stuck to it. However I would love for Windows 11 to give the option of just a password for getting on a computer again that wasnt tied to my email. However there is more likelihood of a monkey jumping out of my butt tomorrow.
 
S

Szeth

Member
So I'm a bit confused. If I don't have any other aliases at that link, just my email, then I don't have to do the merge thing from the verge article? Or do I have to merge to be able to see the option and de select it?
 
JP

JP

Member
Damn, that's pretty bad. At least it;s a relatively easy fix for people who haven't had issues with it.
Broken Joystick said:
I have Unsuccessful syncs from Ukraine, Bulgaria, US...and unsuccessful sign-ins from Taiwan, US, Mexico....all in the past month.

Wtf.
Click to expand...
I check mine fairly regularly on sites that it's possible to do that on. Over the past two days I have log-in reports from the UK, Israel, Check Republic, Australia and New Zealand. It looks bad but I do run everything through either a VPN or a double VPN if it's stuff that I absolutely need to be sure of.

Validating the log-in IPs is simple enough to do.
 
O

opticalmace

Member
Thanks for posting this. Apparently I had "linked" my Skype/MS accounts but not merged them... what a dumb ass system.

Szeth said:
So I'm a bit confused. If I don't have any other aliases at that link, just my email, then I don't have to do the merge thing from the verge article? Or do I have to merge to be able to see the option and de select it?
Click to expand...
The latter.
 
Q

Quick Mustard

Member
Im confused.

My account shows it as linked on the Skype page, but on the sign-in Prefrences page it only shows two emails and not my Skype sign in ID.

Am I safe?
 
E

EmiPrime

Member
Quick Mustard said:
Im confused.

My account shows it as linked on the Skype page, but on the sign-in Prefrences page it only shows two emails and not my Skype sign in ID.

Am I safe?
Click to expand...

No, your accounts are just linked and that's what is getting accounts compromised. You need to merge and then the alias will show up in sign in preferences, following which you can disable it.

Go to https://account.microsoft.com, if you're already signed in, sign out.
Enter your Skype name, not your Microsoft Account email address, and use your Skype password to sign-in
If you've linked your Microsoft Account previously, you'll be prompted to sign-in and merge the accounts to create a Skype alias
Click to expand...
 
D

dragoncdf

Member
I had 3 attempts to auto sync. one from Philippines,one from Bulgaria,and one from Chile. all were unsuccessful. don't even use skype.
 
Q

Quick Mustard

Member
EmiPrime said:
No, your accounts are just linked and that's what is getting accounts compromised. You need to merge and then the alias will show up in sign in preferences, following which you can disable it.
Click to expand...

Ok, so Now I've merged them, I have two emails and the Skype sign in username under the sign-in prefrences.

Do I just untick that Skype login and I'm good?
 
V

ViciousDS

Banned
I just checked


HOLY FUCK, this is how hey got into my hotmail without 2FA last month. I started freaking the fuck out. Thankfully changed password immediately and nothing was changed for accessed

Sure enough alias is shown and was used for the login......god damn it. Fucking Microsoft
 
H

Hamster Plugin

Member
ROUGE_BLOCK said:
However I have to use these services regardless so I'm pretty much stuck to it. However I would love for Windows 11 to give the option of just a password for getting on a computer again that wasnt tied to my email. However there is more likelihood of a monkey jumping out of my butt tomorrow.
Click to expand...

You can make a local account on Windows 10 which only exists on your PC, you don't need to tie a Microsoft account to it.

you will be missing out on all those sweet (lol) UWP games on Windows Store though
 
L

LilJoka

Member
Hamster Plugin said:
You can make a local account on Windows 10 which only exists on your PC, you don't need to tie a Microsoft account to it.

you will be missing out on all those sweet (lol) UWP games on Windows Store though
Click to expand...

You can do this and just log into each app separately if need be.
 
F

Fortinbras

Member
ViciousDS said:
I just checked


HOLY FUCK, this is how hey got into my hotmail without 2FA last month. I started freaking the fuck out. Thankfully changed password immediately and nothing was changed for accessed

Sure enough alias is shown and was used for the login......god damn it. Fucking Microsoft
Click to expand...
Think about it. If they get a successful sync they can download all your emails. It's unbelievable really.
 
V

VanillaCakeIsBurning

Member
EmiPrime said:
No, your accounts are just linked and that's what is getting accounts compromised. You need to merge and then the alias will show up in sign in preferences, following which you can disable it.
Click to expand...

Anyway to find out what my Skype name is if I don't remember? It's been years since I last used Skype.
 
You must log in or register to reply here.

Similar threads

BT customers unknowingly charged for Xbox Game Pass
Business Cringe Platform 2 3
140
7K
foamdino replied
[Jez Corden] OPINION: This week's big Xbox drama showcases how little people trust Nadella's Microsoft — a legacy forged in the death of Windows Phone
2 3 4
164
12K
Rosoboy19 replied
Diablo 4 beta .......console users who logged in at launch....still can't get in?
2
474
Kacho replied
Nvidia has a new graphics Control panel
Analysis 2 3
123
8K
YeulEmeralda replied
Introducing Steam Families
Platform 2 3
143
5K
Topher replied
Top Bottom