Skype: Spam messages & links sent from your account?

[Batu69]

Every now and then here on the Skype Community we see another wave of reports from customers saying that their Skype account sends unwanted spam instant messages to their contacts including links to Baidu, LinkedIn or other popular online services. Please follow all the following steps to learn how to act on these and take back control over your account:

1. Checking your computer security

Is your antivirus scanner up to date? Your firewall still active? Malware scanning doesn't find anything? This is to ensure that no keylogger or other backdoor is transmitting your password input to bad people somewhere else.

2. Update your password(s)

If you have a Microsoft account (e.g. you sign in with either email or phone number) and you never linked a Skype name to it before September 2016: Simply Sign in to your Microsoft account, then select Security & privacy and then select Change password.

 

If you linked your Skype account with your Microsoft account in the past: there are still two passwords that grant access to your account. The best way to consolidate your passwords is by opening https://account.microsoft.com and sign in with your Skype name and password there. If this is the first time for you signing in since October 2016 you will be asked to update your account. More information in the article One account for Skype and your other Microsoft services - NB: After you have updated your account going forward there's only one password giving access to your unified account.

3. Protect your account

Now to updated your password (and possibly your account as well) secure it by setting up two factor verification: https://support.microsoft.com/en-us/help/12408/microsoft-account-about-two-step-verification

Frequently asked questions (and answers to them)

I didn't even use Skype while the spam messages were sent? / I haven't signed in to Skype for ages? / I was only signed in to Skype on my mobile phone and the device was always with me?

The spammers obtained your credentials and signed in from another computer at any other place in the world to send out the spam messages. They don't need access to your device or even you to be signed in to send their spam.

 

How did the spammers obtain my account password(s)?

Over the past years unfortunately data leaks of user credentials (emails/usernames + passwords) have become somewhat of a regularity. If you have been re-using credentials across multiple services then just one service leaking your data will compromise these credentials everywhere else. You can check if your username or email was part of any recent popular leak on the following website: https://haveibeenpwned.com/ - If  you see the message "Oh no — pwned!" you should update your password everywhere you use this username/password.

 

Even if your information was not part of a data leak your computer or a computer you used your credentials on - in internet cafes, at a friend or family shared computer, even at work - could have been compromised by malware and your password information gotten into the wrong hands that way. That's why two factor verification/authentication is a powerful tool to enhance your security.

 

But I checked sign ins via the /showplaces chat command?

The output of this chat command does not list currently signed in endpoints reliably. Instead it lists all endpoints registered to receive notifications, e.g. for incoming calls. This list largely overlaps, but the output is not a reliable indicator. After you have updated your Skype account to a Microsoft account (see Step 2 earlier) you can use the "Recent Activity" report though: https://account.live.com/Activity

 

Article source