The company takes the silent approach

Sep 3, 2008 09:09 GMT  ·  By

Hundreds of people reported to Skype that their accounts had been hacked. The victims either couldn't log in anymore, or discovered that unapproved payments had been made by someone using the embedded PayPal option. The transactions performed via Skype prompted users to vehemently complain about the security breaches allowed by the company.

 

And what better method to resort to than writing directly to Skype and asking for some sort of retribution, no matter if it's about retrieval of passwords or refunding the money lost to the hijackers? Surprisingly enough, the company seems to have remained impassive to most of the complaints received so far. On the Skype board of discussions, one user claims to have sent the company one email a day, starting with the moment he discovered that his account had been hacked. In some cases, although at least one month separated the incident from the time of posting on the forum, no answer came from the company.

 

Hijackers often break into the account and use it to steal, if money is not available, personal information about the persons in the victim's contact list. So, unwary people don't pay attention to details, and can't tell the difference between their friend and the person who hacked into their accounts.

 

“I usually talk to my brother in Germany several times a week over Skype, and since I got hacked he has seen my account online with changed profile and country setting.” one user says about the moment he realized that his privacy was being endangered.

 

The few emails that Skype eventually does send back usually bring nothing but bad news. “Skype can not refund the money you might have lost due to this incident. Every user has to take care of his/her security systems on private computers.” is the message sent to a user who managed to retrieve his password, but not the money that he had lost.

 

No one knows exactly what the security vulnerability exploited by hackers was, since, because of the encryption of the username and password made during the signing in process, a man-in-the-middle attack seems almost impossible to have been employed.