Hello. My friend has just lost his password. He can't log on skype anymore. Unfortunately he had some money on skypout. Don't wait. Also he can't remember if he ever loged on share.skype.com so risk is even bigger.

I got the same e-mail for my main Skype account! Ididn't receive other e-mails for other accounts i have (i only registered with my main account name on the "share Skype" blog. I agree this is a big nuisance and scary :-( , although they try to reassure!
I am indeed angry! And you are right: those who didn't register with an e-mail address, or who "lost" the e-mail address for any reason (e-mail account cancelled for instance) will also lose the username and credit! Unless Skype has a solution for this!

I got the same email from Skype. And until I read this post, didn't really look at it. When I read this, I hurried over and changed my password but the the promised new password hasn't arrived. Am afraid to log off Skype as I will be stuck. Hope my SkypeIn and SkypeOut credit doesn't vanish. This is nuts. Skype is probably overwhelmed by the number of requests and hasn't been able to respond to all ... am hoping.

Why some users got a password change

Skype has a standard for storing all Skype user credentials and we've just completed an audit our platforms to make sure that all systems meet that standard. One of the elements of this standard is that all user password authentication must be done by a central system that employs a single uniform password encryption and storage methodology.

If any of our service platforms want to use Skype usernames as the basis for identity, they must use that central authentication system. By using the central system, we believe that we can best protect our users' privacy.

Our audit showed that the only one system in our services infrastructure stored encrypted user passwords outside of our core authentication system, and this was the "share" site. The "share" site stored encrypted user passwords, too, but should have used the central system to do all authentication.

However, because passwords for users of the "share" site were stored in a different encrypted format than that which we set as our standard, I directed our operations team to eliminate the parallel storing of encrypted passwords, to consolidate the authentication systems, and to require users to change their passwords to ensure that stored passwords are always stored securely.

As of this morning (30 November 2005), we had consolidated all authentication in one place and eliminated the parallel storing of encrypted passwords. With that task completed, we then began the process of notifying users and requiring password changes for users.

How we're dealing with the problems

The password changes affect less than 1% of Skype's registered users and its implementation enhances the security of Skype users and of Skype's service offerings. But we know that some users have had problems resetting their passwords as a result of this authentication migration. Our customer service team (http://support.skype.com) is aware of these issues and stands ready to assist people who have had these kinds of problems.

Because of this experience, as well as suggestions received by users, we are working on a number of longer-term solutions to make password management better and more robust.

Kurt Sauer
Head of Security Operations
Skype Technologies, S.A.

Every service has to do this now and then. What bothers me is the way they did it. I was blindsided.

I received a SkypeIn voicemail last night (from the UK while I was sleeping in California). I clicked to return the call and Skype killed my 15 open chats, logged me out. I missed a scheduled press interview, and connecting with various team members because of this lockout. I was at the gate to Skypeland for an hour. Frustrating. And scary like you said.

I got locked out too, had to request a new password

Interesting analysis, but I'd be surprised if Skype/eBay would try and cover up a security breach as they'd be sure to be found out eventually and get a lot of bad press on it.

Have you contacted Skype for comment?

Is it safe to choose my old password again?

Damn being an alpha tech geeky user - I had to go through the saga this morning....annoyed

This is exactly the type of issue that makes Security Consultants like myself cringe and what make enterprise security people say "See Skype is clueless about security". This is the WORST mistake a company like Skype can make.

The general rule of thumb for this sort of need to update personal information of any kind or any information about a users account is to follow the following rules:

1. NEVER ever place a URL in an email - this practice of URL's in email whenever you are asked for anything personal is why issues like Phishing cause so many loses for companies. The practice should be to just say "Go to our website directly and update your information". "We do not put URL's in emails like these so that you know you are going to the correct site and to protect your privacy." "Any emails from Skype with URL's in them that ask you to update your information should be considered BOGUS!."

2. Any emails with URL's in them that ask you to update ANYTHING about yourself should be considered malicious and deleted.

3. NEVER ever send a username AND a password in the same email - EVER!!!!!!! send two emails and even better at different times or days. Make the hackers work at it - don't give it to them on a silver platter.

Bad Bad Skype and "Hey eBay... you know better than this... Verisign and Pay Pal need to hold a Security Workshop with you on this.

MG

Kurt,
Thanks for your detailed answer. It seems to put things at rest. I hope next time the communication is a little more effective.

From my perspective, I just wanted to provide the user response. Gut feel reaction to the message and getting kicked off Skype. I was not alone.

Have been using Skype all day, restarting. Got a new password in minutes, everything went seamlessly.

I got the same message in e-mail, but have never logged onto share.skype.com, just www.skype.com. Ub fact, I've never heard of share.skype.com. I've used forum.skype.com, but use a username totally different from my Skype username.

My Two Cents Worth

I got the email, too. And I have just checked, and sure enough, it refused to log me in. But who cares. I have switched to Gizmo, so I can use my regular phone with it even when my computer is turned off.

I too was unaware of ever having heard of share.skype.com, much less ever logging in or participating in a discussion. That the email posed and answered the question of how I would know this email was not a fake was in no way reassuring - we all know how dementedly devious these spammers and phishers are. Earth to Skype - most of us out here are not engineers and often don't understand what engineers are talking about. Whatever the security issues, Skype really need to hire a communications expert or two who understand how to communicate technical issues in a way that is both secure and gives confidence that the procedure explained is appropriate and not phishy. 0 out of 10 and I'm a big Skype fan.

I don't recall ever using the share.skype.com but I too received the email and I'm locked out of skype now. Unfortunately, I use hotmail (big mistake) and have been waiting for 10 minutes to get the skype email with my password reset. Lessons learned are that skype is not quite prime time and hotmail sucks!

I bit the bullet, went to the change password site, got the new pw in the email, logged back in without incident, then changed the password again and logged out and back in successfully. Now I'm breathing again.

Appearently, I must have registered with Skype without an email. So my password has been changed, I didn't get any mail, and I can't reset it. Great... And I had SkypeOut credit that seems to have been stolen by Skype now. Not much fortunately. It was good that I only bought the minimum amount.
And yes, I have heard good things about Gizmo. I will definitely try to swtich if this doesn't work out.

Its been over 8 hours since I reset my password and I have not yet received the new password by email. I've also written to support separately. Am now locked out of Skype. What should I do?

hi, when will emails be sent to affected subscribers? i haven't receive one.

thanks a lot.

No email received but when I tried to use SkypeOut it informed me my password had been reset. Apparently I did not have an email address in my profile so all is lost(?). I emailed support for advice.

What a bunch of idiots these Skype people. I am a Skype and SkypeOut user and I am so mad they would do this the way they went by it.

That email I received, looked so fake, I dismissed it.
Of course, I can not use my SkypeOut credit/ place calls.

Should heads should roll for this.

Thanks for the heads up. Hope I am not a victim yet. I'm foolish enough to use the same password for everything. D'oh!

I have changed my new password to a revised one but I notice that the forum still requires the original one.

I thought the reason for renewing passwords was that Skype and share.skype forum would have an integrated server (presumably with the same password).

Yep like every body I was freaked by the email. Thought that it was a scam but checked the link, filled in my details and got the email with new PW within 2 mins, entered it and all ok. BUT as a PR stunt, what a huge stuff up - they should have warned people (if possible) unless a security breach was imminent. Ebay are going to be ropeable especially as other contenders to the Soft VOIP crown are lurking.

Yep like every body I was freaked by the email. Thought that it was a scam but checked the link, filled in my details and got the email with new PW within 2 mins, entered it and all ok. BUT as a PR stunt, what a huge stuff up - they should have warned people (if possible) unless a security breach was imminent. Ebay are going to be ropeable especially as other contenders to the Soft VOIP crown are lurking.

Update: I got a pretty quick response to my email to support, got my password reset, and I'm back in business again. I was surprised and annoyed at first. But I'm satisfied with the quick response.

Update - Skype support got in touch with me and asked for an alternative email id. Once I sent that, I got back in !

You say "Don't change the password back to the old one", is this really an issue if Skype are just saying they are integrating two separate servers. I'm no techie and was fairly confused by the email and the experience of renewing passwords etc.

Not very clear from Skype at all.

I just found I had to "renew" my password; got the email very quickly and the correct SkypeOut balance was there when I logged in. A very mild hassle in the end.

Got the mail - clicked the link - entered e-mail address - clicked submit - NOTHING.
Waiting since hours.
This is unaccepteable business and I will terminate using this service.

I'm not able to get into Skype, and since I was a VERY early adopter who didn't want to give my e-mail address to a then-unknown company, I cannot reset my passord. Looks like that username is now dead, along with the 9 Euros of SkypeOut credit I had.

Really, really bad move, Skype.

Mine was compromised also. But retrieved it successfully.

I also thought this message was a hoax, deleted it and told my friends to also do it.

Well, i was wrong about it, but thankfully we all could recover our passwords.

I got this message too, in the middle of a phone call and was promptly cut off. I tried to follow the route to the email address I had used for lost password as directed but that was rejected as not being valid. I am hoping that support will be able to send me a password, though the matter is not yet resolved.
I wonder whether it would be a good idea to look at VOIPcheap or some other supplier as at the moment skype does not feel secure or for that matter reliable. I confess that I am very reluctant to start over again and lose my credit through no fault of mine.

I'm really sure mine was used. But I moved house and broadband connection so the email can not be retrived. What the heck am I meant to do now?

Can't login too. Never registered an email so let's see what the ticket will give..

I'd also like to hear from anyone that gets this email that has never logged into share.skype.com

I use SkypeOut and have never logged into share.skype.com. I don't believe Skype when they say everything is cool because a trace on the IP from that mail results in Doubleclick.

inetnum: 62.221.20.0 - 62.221.20.255
netname: CW-DOUBLECLICK-IE-NET
descr: Double Click, Ireland
country: US
admin-c: TF29-RIPE
tech-c: GNOC4-RIPE
status: ASSIGNED PA
mnt-by: AS5378-MNT
changed: *************@cw.com 20030620
changed: ********@de.cw.net 20050929
source: RIPE

Received: from mta.news.skype.com ([62.221.20.26]) by dnstemplate.com

The other mails from Skype all have another IP which resolves to Skype.

Explain that, Skypemasters.

I got my password lost too. As long as I can recall I have never ever logged in the share site. I haven't received any mail from Skype nor I can reset my password through mail, as I didn't register any with them. I contacted support by mail 3 days ago, no answer yet. This an inexcusable mistake from Skype.

Mine was compromised also. But retrieved it successfully.

Compromised passwords is the inevitable consequence of how most service providers manage this information:
http://bertorello.blogspot.com/2005/11/secure-internet-exchanges-for-dummies.html

sir ,
i have many skype friends.but i cant sign in my skype ID ? somebody Change my ID .

please Helpe me .My ID : hessashanavas

i am from United arab emirates .here www.skype.com we can't Open Because network Erorr .so i can't Use forget password Option please send my password to my E-mail...thanks

One of my accounts is locked out too. I can no longer get a new password as no mail address is registered for the account.

Thank you for the blog. It's been a releaf to me)

I never used any Skype forums before today. I never got *any* email from Skype regarding the matter of compromised passwords. And yet, I was locked out of my account. That was in early December. I just got access to my account restored yesterday (Dec. 27) -- after nearly a month.

There's something fishy about what happened, and definitely something wrong with *how* Skype handled it. Completely unacceptable. They've obviously done a good job covering this whole mess up, however. I've heard virtually nothing about this outside of a few blog complaints (and if it affected "only about 1%" of Skype users, were talking about perhaps 100,000 or more screwed customers).

I lost my skype password since last two weeks
I woulkd like to use the same skype name because i have a lots of contacts in the same ID

When setting up name and password both got rolled into one long user name. They require seperating and re insertion.
Please tell me me how to do this !!! Ihave never sent any previous requests for assistance

Thanks John Brookie.