If you get a link to a website with “Baidu” in the name sent through the Skype messaging system, don’t click on the link. The message will appear to come from someone you know but it’s not – it’s just the bad guys with their latest exploit. The link will take you to a phishing site that attempts to install malware. Baidu is a Chinese search engine, roughly the Chinese equivalent of Google; the link does not actually take you to a website run by Baidu but instead will redirect you to a malware site. The ones I’ve seen have been disguised as a fake Forbes web page.

If someone tells you that they received a link through Skype that appeared to be from you, your Skype account has been hacked. The steps to stop the hack are described below.

This story is still developing. It’s obvious from lengthy threads on Skype support forums that it’s happening to many hundreds of people at least, but I suspect it’s more widespread than that. My wife got messages that appeared to be from our son. Tom Warren of the Verge got messages that appeared to be from a former Microsoft employee and a Microsoft PR representative. The bad guys are still out there pounding on the system that has allowed this to go on for the last few months.

As usual, the Internet tubes are full of rumors, guesses and falsehoods about how this is happening. There is speculation about malware, security flaws in the Skype Android app, poorly chosen passwords, a massive Microsoft security breach, and demonic possession. I’ve got a pretty good idea of what must be going on based on the stories online because I’m sensitive to Microsoft problems stemming from its multiple identity systems. Keep an eye out for follow-up – I might not have this right.

As I write this on Sunday November 13, it’s possible that Microsoft is working on something related to this problem. As I describe down below, the underlying issue concerns the relationship between Skype IDs and Microsoft accounts. It’s been possible to link the two accounts for a long time; in fact, Microsoft has been actively pushing everyone to link them together. So I can’t explain the message on this page, shown below in a screen shot, unless it relates to this hacking problem. “Due to ongoing changes, linking and unlinking of Skype and Microsoft accounts is currently unavailable.”

Tip: The answer to the question, “Was this article helpful?” is, “No.”

I haven’t been hacked. What should I do?

Don’t do anything unless someone tells you that you’ve been hacked. Seriously. Diving into this rabbit hole and trying to unravel your Microsoft and Skype accounts will make your head hurt. From a security standpoint, that’s terrible, irresponsible advice and you should secure your Skype account right away. All I can say in my defense is that Microsoft has mucked up Skype so thoroughly that you will wish you had never started.

Someone told me I’ve been hacked. What should I do?

Try this first:

•  Log in to https://account.microsoft.com with your Microsoft account

•  Go to Security and Privacy

•  Under Account Security, select More security settings

•  Under Sign-in preferences, select Change sign-in preferences

•  If present, uncheck Skype name

•  Press Save

There is good reason to believe that you will no longer be able to be hacked after you do that.

If “Skype name” does not appear under “Sign-in preferences,” try this as your next step:

•  Log in to www.skype.com with your Skype name

•  Click on Settings and preferences / Change password and create a new password

That won’t be the end of it! The bad guys will likely be back in the account before long. The final step requires merging your Skype account and your Microsoft account, then turning off access through your Skype account. As of Sunday November 13, it is not possible to merge the accounts, so you’re done until Microsoft takes further steps.

Background

Skype was an independent company when it first appeared in 2003. For the next eight years, you logged into Skype with a Skype ID – a name and a password used only for Skype. Unlike most login names today, a Skype ID was a unique name (e.g., “bruce.berls”), not an email address.

Microsoft bought Skype in 2011 and allowed it to run with a fair degree of independence. That hasn’t worked out well. Skype was never integrated very well with the Office programs. Basic service has deteriorated for the last few years as the Skype division migrated the whole service to a better back end infrastructure – undoubtedly a difficult project so kudos that they’re near the end, but that upgrade was only described recently after years of complaints about dropped connections and poor quality. The Skype team worked on making Skype available across all devices as well as in web browsers, even integrating it recently into Outlook.com, but that has caused as much irritation as happiness. There is a special anger when Skype erupts with an incoming call on phone and computer app and web browser, and answering it in one place does not stop the ringing anywhere else. Microsoft also indulged its favorite bad habit of over-using brand names when it changed the name of Lync, its enterprise phone/messaging system, to “Skype for Business,” even though it has literally nothing to do with Skype – different user accounts, different back end, different program on PCs and phones, different division in the company, not integrated in any way at all.

In the last couple of years Microsoft has started focusing on its problems with identity management. Microsoft has two different sets of credentials for many people that are described and used inconsistently: a personal account, referred to as a “Microsoft account”; and a work or school account, referred to (inaccurately) as an “Office 365 account.”

Skype was separate from both of those systems, making the third Microsoft-related ID that people were expected to track.

So Microsoft began to set up Skype to accept logins with a Microsoft account as well as a Skype ID. At some point it started to push you to merge the two accounts, so you would consistently use the Microsoft account and the Skype ID would fade into the background. That was encouraged but not required.

Most people have no freaking idea what any of these credentials do. They just want to use the program. I’ve watched many, many people fumble with these options until they come up with something that works, whether they understand it or not. If I were to ask my clients and friends what their Skype ID is, it’s not just that they wouldn’t know the answer. They wouldn’t understand the question. Their what?

Microsoft has still been running the servers that authenticate Skype IDs. Maybe you’ve been logging into Skype with your Microsoft account, but if you had good records, you could also log in today with your old Skype ID and the password you chose for it eight years ago, back in the early days when we chose simple passwords and used the same one over and over. That only provides access to Skype, not to the rest of your Microsoft account services – but that’s enough for you to use Skype and send messages.

That’s the opening for the bad guys. If the bad guys can hack your password and log into Skype with your Skype ID, they can send messages to everyone on your Skype contact list. That’s where the Baidu messages come from.

It appears that the servers handling the Skype ID authentication are set up so the bad guys can pound on them relentlessly, using automated tools in brute force attacks until they find a login name and password that works – at which point they send malware messages. Every time they crack into one, they get more Skype IDs to work on. It’s possible that they’re using data from other hacks – the huge LinkedIn hack, for example – to see if people used the same password for Skype.

The online reports in the forums include people who changed their Skype password and were promptly hacked again, even with new complex passwords. Perhaps there’s a deeper security problem. I can imagine, though, that the system run by the bad guys might just immediately launch a new password attack against a Skype ID that’s known to be good.

If I’m right, then Microsoft is trying to do the right thing by moving Skype authentication to the more secure system of personal Microsoft accounts. It’s been tripped up because merging identity systems is fearsomely complex and full of pitfalls.

A few months ago I speculated that Microsoft might have a grand plan to unify work and personal accounts as well as LinkedIn accounts in one grand and glorious single sign-on system. Merging Skype IDs and Microsoft accounts is a comparatively small project, and yet it seems to have gone sideways. Identity management and single sign-on is hard and Microsoft may not be able to untangle its tangled systems.

Don’t click on the Baidu links!