Hint: you can change your email to something like firstname.lastname@example.org to avoid registration of new email address.
Later on you can take your time rolling out a client fix if it's required, but a hotfix server-side is entirely possible, there's no excuse keeping this vulnerability possible when it's been made this public(step by step instructions to hack someone's account, with screenshots!) especially since you were contacted privately about it ~3 months ago.
Be realistic. If two people need to talk about it, it's going to take longer than 2 minutes.
The two hours were most likely spent on office politics as opposed to fixing the problem. I'm surprised it wasn't > 5 hours to be honest.
We have had reports of a new security vulnerability issue. As a precautionary
step we have temporarily disabled password reset as we continue to investigate
the issue further. We apologize for the inconvenience but user experience and
safety is our first priority
I see no recourse other than closing my account, if that's still possible.  No, not even that is possible.
After adding the email address and clicking save, logging out, and logging in, I found the email address was successfully added. At this point I could change it to the primary one, click save, paste my password, and click the button on the password prompt to successfully change my primary email address. If I tried to add the email and make it primary in one session, it would not work. If I entered my password and hit enter, it would not work.
Character not recognized. Please choose a mix of letters and numbers.
Early this morning we were notified of user concerns surrounding the security
of the password reset feature on our website. This issue affected some users
where multiple Skype accounts were registered to the same email address. We
suspended the password reset feature temporarily this morning as a precaution
and have made updates to the password reset process today so that it is now
working properly. We are reaching out to a small number of users who may
have been impacted to assist as necessary. Skype is committed to providing a
safe and secure communications experience to our users and we apologize
for the inconvenience.
The notification about the password reset token does appear in the Skype client, but no reset code is shown at first. Then I've pressed Ctrl+F5 on the home screen, skipped the Facebook thing, and here they are!
On OSX doesn't work, though. The password token notification doesn't come.
aaaaa1 - strength: medium
aaaaa12345 - strength: poor
=aStu!et$aQ@212345 - strength: poor
1. At least 3 out of the 4 categories uppercase, lowercase, digit, special character
2. No character could be repeated more than two times
3. No sequence of 3 or more increasing or decreasing letters or numbers could be present (and not even consecutive: "ta/Tbs#cz" would be rejected because it contains "abc").
4. No English words or names could be present.
5. It must be at least 8 characters
There may have been other restrictions too, I don't recall the exact details.
This meant that perfectly reasonable passphrases (like "correct horse battery staple") would be rejected. Even if you tried to come up with a good password that met the rule, you might fail by accident because "89cRbcThe*)" has the word "The" in it. You would generally have to come up with a password, then whittle it down slowly until you passed all of the rules, usually making it weaker in the process.
George A: Hello! Welcome to Skype Live Support! My name is George. How
may I help you?
me: Recently I have received an email welcoming me to Skype (not
phishing, I verified). The problem is that I didn't create the account
mentioned in the email. The account name was "[NEW SKYPE ACCOUNT]" and
my email is [MY EMAIL 1], so I think that user mistyped his email
address, and then Skype sent a welcome message to me. Doesn't skype
verifies email addresses before sending a welcome message?
George A: I understand that you are concerned about your email address
being used to setup a Skype account, I'll be happy to help you with
that. May I please have your Skype Name?
me: [MY SKYPE ACCOUNT]
George A: I would also need the email address, please.
me: [MY EMAIL 1]. let me check that this address in on my Skype
account... ok, my email on file in Skype is [MY EMAIL 2]. and a few
other too, all mine :)
George A: Well, I see that there is only Skype Name registered under
that email address, the Skype Name is [NEW SKYPE ACCOUNT]
me: Yes, for my account ([MY SKYPE ACCOUNT]) the primary email is [MY
EMAIL 2], but other emails on profile are [MY EMAIL 1], [MY EMAIL 2],
[MY EMAIL 3].
George A: May I please ask you to confirm which Skype Name that you do
me: Does Skype sends verification message before assigning the email
to account? The Skype name which I didn't create is [NEW SKYPE
George A: May I also have the email address that was used?
me: [MY EMAIL 1]
George A: Well, I would need to send you a confirmation to that email
address. I would kindle need you to reply back to that email.
me: Please do
George A: Then, we will be able to delete that Skype Name for you.
me: thank you
George A: You are most welcomed, please expect me email within 10
minutes. Is there anything else I can help you with today?
me: Could you tell me if email accounts that are registered with Skype
are being verified by sending a message to them? If so, maybe there's
bug in your system?
George A: We send a welcome email to the registered email address
whenever a new account is set up using that email.
me: OK, that's what I received. And then you also send other emails
with offers to the same account. So, basically, anyone can create an
account for any email. Why don't you verify emails?
George A: Please understand that all of us here at Skype take our
customers' privacy and confidentiality very seriously
me: OK. Thank you.
George A: You are most welcomed. It's been a pleasure speaking with
you today. Thank you for contacting Skype Live Support, have a great
day. We value your feedback. Please be aware that we will ask you a
few questions after closing the chat window about your experience with
us today. Once you are ready please click on the "Exit" button.
me: I suggest adding a link to Welcome email that says "I didn't
create this account". Bye!
And now this failure to verify emails leads to the linked vulnerability. Nice.
http://www.h-online.com/security/news/item/Skype-investigati... claims that I discovered today's vulnerability, but I didn't. I discovered, by accident, that Skype doesn't verify email addresses (in fact, they still don't, even after fixing vulnerability); I don't even think that I'm the first person to do it.
Edit: I also didn't write the linked blog post, it was someone else.
This attack it truly horrendous and its disclosure will most likely reverberate for a while.
What's interesting is after spending 30min or so clicking around Blizzard's site there is no way to actually contact support without having an account. You also can't claim the account, because you need a first and last name along with the email address, and I only have one of their names.
In the end I just left it, it was an old account and there is no evidence that they had real access, and as it was a legacy account I'd securified it anyway (creating a massive 32character random password and storing it in a password manager, just to close off any loose ends).
It should be noted that after my account password is changed, I tried to login with the old password, the Windows Skype app told me the username and password combination is wrong but it still let me logged in. This may be a different bug in caching?
Hope we can get a postmortem report out of this...
Can't believe Skype has been ignoring this issue up until in got to the top of Hacker News and HabraHabr.
1. Most people use the same or similar password, so once one account gets hacked, the attacker is probably able to use many other accounts on different services with the same email address/password combo.
2. It's easier to spot services that spam, or that leak your email address (I became aware of a leak of email addresses on Box... luckily it was only emails that got leaked, at least according to Box support).
3. It's easier to block spam, once a service misbehaves or gives away the email.
I wrote a little more about using it as a "passwordless password manager" at http://blog.gingerlime.com/2011/passwordless-password-manage...
update: (if blog post is too long...) this does not mean setting up hundreds of different email accounts. On most services like hotmail, google and yahoo you can simply append some unique string to your email address, e.g. email@example.com. Making this unpredictable is important however, so appending +facebook and +twitter is not helping much though...
I think something is really broken in today's web authentication scheme. I think there is really huge need for some independent and reliable service (Mozilla's Personas maybe).
For example, if my email is firstname.lastname@example.org, then I would use email@example.com when signing up for Hacker News.
Sometimes, I don't actually remember and just end up going to my inbox to find an email from the site so I can look up what I used.
Another time, this backfired on me when I purchased concert tickets using a +descriptor email and couldn't login. The purchase form and login form had different validation rules, so the purchase form accepted my +descriptor email and charged me for it. The login form rejected my +descriptor email and I was rushing to contact customer service to print my ticket in time.
If someone was directly targeting me, and had my email address from another site, they could probably figure out what I'd used elsewhere. But if it's just a script running through email addresses harvested from site A, then mine will almost always be irrelevant on site B.
The main reason I use it though is that it's a great way to figure out where spam is coming from. Last week for instance I got a "male enhancement" spam from an email address I've only ever given to scan.co.uk. That addres is now on my block list and I doubt I'll be buying through them again.
Sadly this is at best a complicated workaround, that will will work for people that are motivated enough to remember for each different service a separate email and password and additionally to this you have to remember as well the credentials to manage your email address and check the emails from different sites.
In my case it would mean having about 100 email addresses.
With the rise of mobile apps though, we introduce more usernames and password daily.
Believe there is an easier way to handle user authorisation and here is a post about it. https://gist.github.com/4052818
Of course it's better to have a real password manager, but for most people, who don't or can't be bothered setting this up, this would be a huge step forward since they anyway use the same email and the same password everywhere.
Never, ever, re-used passwords for anything you value.
Most people re-use not only the password, but also their email. This is the worst combination.
If you use an unpredictable, unique email address, and use a secure password. Even if it leaks on one site, the attacker has no easy way to predict what your email address is going to be on any other site without having access to the list of email addresses.
1) Buy domain and attach google apps to it.
2) Switch catch-all email setting in preferences.
3) When register for a service use email like firstname.lastname@example.org or email@example.com etc.
So if your goal is to maintain email-provider independence, then relying on provider-specific features like the '+' modifier works against that goal.
For me though, the main reason I don't use it is most sites that I want to use it on reject the '+' in the address as invalid. It happens enough that I don't bother trying anymore.
What problem are you solving?
The email addresses are not as sensitive as passwords. Sure. If someone gets hold of all of them AND your master password you're in trouble. But same goes to getting your password manager file and the password for it.
The difference is you don't need a password manager software. You can store this list anywhere which is reasonably safe.
As with everything security related, there is a trade-off. I'm not saying it's more secure, but it can be more convenient in certain circumstances and for certain people.
A password-manager is more secure (if the master password is and the manager software is safe). A unique email address + unique password with a password manager even more so. two-factor authentication even more... and so on...
It's just a question of options/priorities. This is still a valid option in my opinion which might work well for some people who don't want / can't use a password manager, but can handle a list of random email addresses...
then I have a catch-all on the domain, and lower the priority of emails that aren't to my normal address, but any important emails get their own forwarder to forward into my main inbox, so I will get the emails on my mobile devices.
quite effective actually.
* More people that I'm in contact with have Skype installed vs. have Google Voice and Video installed
* I use Adium as my IM client as I find it easier to use than Google+ in browser chat. To avoid double notifications, I keep chat closed 'in browser', which adds friction when starting a hangout
* Skype makes the call much faster than Google+ hangouts. In hangouts, the call usually times out but if I leave the window open, the other party will eventually join
On the plus side:
* Google+ hangouts call quality is usually much better
* Skype can't do multi-user video
* I find the 'in call' Google+ hangouts interface much more intuitive.
Or screen sharing, it was completely unusable in Google Hangouts on Linux just 2 months back whereas Skype didn't have any issue and worked (surprisingly!) flawlessly.
I don't really perceive the network effect that much, everybody I have on Skype also has a Google account.
Is there a way to actually just phone somebody with it, the phone on their computer rings, and they answer it?
Preferably with a standalone client, as I can't guarantee I'd remember to open and leave open a browser tab.