Skip to main content

Baidu link spam in Skype exposes need to secure your account

Many Skype users have recently reported seeing spam messages with links to Baidu or LinkedIn recently, and it appears the issue isn't a small one (opens in new tab). As reported by The Verge, hackers have managed to breach Skype accounts to send spam even when the accounts have been "secured" with Microsoft's two-factor authentication.

Microsoft confirmed the problem in a statement to The Verge, noting that Skype itself was not breached, but hackers obtained account credentials by other means:

"Some Skype customers have reported their accounts being used to send spam," says a Microsoft spokesperson in a statement to The Verge. "There is no breach of Skype security, instead we believe criminals are using username and password combinations obtained illegally to see if they exist on Skype. We continue to take steps to harden the login process and recommend customers update their Skype account to a Microsoft account to benefit from added protections such as two-factor authentication."

Most interesting, however, is that the issue is even affecting those who have linked their Microsoft and Skype accounts together, which should theoretically eliminate the Skype login in favor of your Microsoft account information. However, as noted in the report, it appears that Microsoft still keeps your Skype username and password separate after merging, allowing it to still be used to log in. So, even if your Microsoft account is secured with two-factor authentication, hackers with the right information could still use your old Skype account information to log in and, as is occurring now, send spam to your contacts.

If you previously used a generic Skype account to log in and merged with your Microsoft account, you'll want to secure your account by changing your password. Fortunately, it seems as though you can also fully merge your account to prevent the problem altogether, but the process is slightly more involved. We've put together a guide to get you started.

Have you run into this sort of spam yet? Let us know your experiences in the comments below!

Secure your Skype account

Dan Thorp-Lancaster is the Editor in Chief for Windows Central. He began working with Windows Central as a news writer in 2014 and is obsessed with tech of all sorts. You can follow Dan on Twitter @DthorpL and Instagram @heyitsdtl. Got a hot tip? Send it to daniel.thorp-lancaster@futurenet.com.

30 Comments
  • Yep... My skype account was compromised by Chinese and my Mobile alerted me to change my password a week ago. I was really surprised how a hacker was able to compromise my account protected with 2FA. Since then, I've removed login using my skype ID but only my outlook.com account.
  • How did you remove the ability to login only with MSA? I only see the option to unlink the account. _____________________________________________
    Also, how did you know your account was compromised? Did you see messages in your app/software that you did not send?
  • Yep... I could see a baidu url sent from my account to many of my friends. You can just allow one alias to login to your account and remove permission for others including your skype id, Mobile number etc.
  • Thanks for the info!
  • The verge article has a link near the end to disable inactive login aliases. You can disable your Skype username there.
  • Once they are fully merged (rather than just linked) together the skype name appears as an alias of your MSA and you can disable it completely. After merging you can use either your Skype name OR MSA email to logon to your MSA. Before merging (when they are just linked) the skype name can only be logged into Skype and not your MSA as a whole. It's a bit of a mess but this all happened and was reported on a few weeks ago, surprised WC is a little behind on it but good they've posted it now
  • My account has not had this issues, but yup, seen a few messages from friends who have. Glad it's getting sorted.
  • Recently I've read news about Blu android phones sending account info to China. I suspect that could be the case with windows mobiles too. I too had a Blu phone mapped to my account which I removed after this issue. I would advise any Blu users to uninstall any apps that come preloaded by Blu to be on the safer side.
  • Same here. My account hasn't been compromised to my knowledge. This explains why I got a baidu link from a friend last week. I ignored it as she contacts me via text and not Skype. I'll be sure to let her know her account is compromised and give her a link to the Windows Central articles.
  • So if I click on that link that my friends sent, does that mean I'm compromised?
  • I have one from a friend, but luckily I haven't sent any, that means I'm cool yeah?
  • You are, but your old skype account probably still has your old skype password and its only linked rather than merged with your MSA
  • Thanks for the advise. I'll be removing my alias login soon.
  • Once they are merged you don't strictly have to remove it because it is then fully merged with your MSA anyway. But its still worth getting rid of it if you won't use it. When they are merged they use the same password, before merging they use separate passwords
  • had the same issue a few weeks ago.... a log in from mexico and china, various failed attempts from vietnam, russia and more.... it took FOREVER to find the option to disable being able to use skype credentials to log in... when accounts are merged, the skype loging should have been disabled by default. oh well, i spent the next hour after that recalling messages and letting people know NOT to click on the link.
  • Once merged they'll use the same password as your MSA and it just becomes an alias for your account, so keeping it isn't an issue but makes sense to remove it if you'll never use it. When merged they are truly one account in the back end. This also all ties in with MS trying to get people away from using the same email address for O365 Organisational Accounts and MSA to provide a better logon experience
  • Yep I had this too. Had linked my skype account years ago to my MSA (which has two factor auth) and my account was used to send linkdin spam. I tweeted this issue to Microsoft, Paul T and Mary Jo more than a month ago and went ignored. I bolstered my MSA, disallowing Skype login but I'll be following WC guide to fix things up properly.
  • I've been receiving those messages sent from the account of a friend who passed away about 2-3 years ago.
  • That is messed up, sorry for your loss.
  • I had this problem too... My skype sent links to everyone !!
  • While I have not seen my account spam others I received plenty of spam links myself. Thank you for providing the fix I shared with as many afflicted as I could :)
  • reminds me of the old "Messenger" days, I use all Microsoft hardware and software where possible and find it very safe, so much so I don't use an antivirus apart from Windows Defender, I'm still on the fence when it comes to Skype because I have always had issues with it except for this particular spam from Baidu, guess I'm just lucky..
  • For some reason my account doesn't allow me to have only a single alias...always need 2 options selected. When I chatted with MS support they said because of 2 factor, but I suspect this is not the real reason... Anyone else run into this problem?
  • Do you use the same email address with am Office 365 Organisational Account? (For an Office 365 business/enterprise plan) by any chance?
  • I received a couple of spammed messages last week, so weird and terrible.
  • I was at first receiving the spam from a contact, then my account got compromised and sent the spam to my contacts. I had my account setup to use two-factor authentication via the Microsoft App on my OnePlus One, but somehow, account still got compromised...
  • Damn, was having this exact same issue! Thanks so much for this article!!
  • Happened to me. Account now secured.
  • I'm Chinese, Chinese opinion? Fck Baidu... Shame
  • I got an alert from outlook that there was an unusual sign-in from Ukraine. 😐