The Next Web is reporting that a security hole in Skype's password recovery tool means that your account can be hacked using just your email address and username.
A team of Russian hackers discovered the flaw and posted details online. Since, The Next Web has confirmed that the technique works. The five-step hack—not linked to here—uses some nimble tricks to allow a password reset to be intercepted. The Next Web explains:
The reason this works is simple, but it's still worrying. When you use an existing email address to sign up with Skype again, the service emails you a reminder of your username, which is okay, since no one else should have access to your email. Unfortunately, because this method enables you to get a password reset token sent to the Skype app itself, this allows a third party to redeem it and claim ownership of your original username and thus account.
Voila—account hacked. In theory, this means that anyone who knows your email address and Skype username could hack your account should they wish. Currently, then, the only way to avoid the hack would be to register your Skype account with an entirely private email address. Chances are, though, that won't stay the case for long: Microsoft told The Next Web that it is currently conducting an internal investigation into the problem. [The Next Web via Verge]
Update: Skype has issued the following statement, explaining that you should be safe for now:
"We have had reports of a new security vulnerability issue. As a precautionary step we have temporarily disabled password reset as we continue to investigate the issue further. We apologise for the inconvenience but user experience and safety is our first priority"
Update 2: Everything's fixed:
"Early this morning we were notified of user concerns surrounding the security of the password reset feature on our website. This issue affected some users where multiple Skype accounts were registered to the same email address. We suspended the password reset feature temporarily this morning as a precaution and have made updates to the password reset process today so that it is now working properly. We are reaching out to a small number of users who may have been impacted to assist as necessary. Skype is committed to providing a safe and secure communications experience to our users and we apologize for the inconvenience."