The reason this works is simple, but it’s still worrying. When you use an existing email address to sign up with Skype again, the service emails you a reminder of your username, which is okay, since no one else should have access to your email. Unfortunately, because this method enables you to get a password reset token sent to the Skype app itself, this allows a third party to redeem it and claim ownership of your original username and thus account.

skype password reset 520x284 Security hole allows anyone to hijack your Skype account using only your email address

This should not be allowed, as it lets anyone create another username for your Skype account by just knowing your email address. The exposer of the vulnerability says that it has been reported but the hole is clearly still open. In the meantime, the best way to avoid being targeted by this is to use a different email address for your Skype account.

We have contacted both Skype and Microsoft about this issue in the hopes that it can be corrected sooner rather than later. We will update you when we learn more.

Image credit: Nick Benjaminsz