Passwords leaked during the LinkedIn data breach in 2012 or other data breaches, and which people have used for multiple apps and services, may now be facilitating active spam and phishing campaigns.
Earlier this year a report said that Twitter may have suffered a data breach that revealed user passwords. The company denied those claims and said that the leaked passwords matched those released after LinkedIn was hacked in 2012. This showed that the compromised Twitter accounts were vulnerable not because of anything the company did, but because people re-used passwords that had been stolen more than four years earlier.
LinkedIn-Connected Email Phishing Campaign
Heimdal Security, a Danish security company, spotted an active phishing campaign that sends users fake emails from “LinkedIn” asking them for documents such as driver license or passport photo as well as a payment receipt, which could be used to trick users into giving away their payment information.
The malicious email tells people that it’s just a “precautionary measure to defend you,” but that they need to provide the requested information within 24h, or the link will not be available anymore. Various antivirus tools show that the Dropbox link in the phishing emails are "clean," which means that the companies behind these security apps haven't yet identified the link as part of a phishing or malware campaign.
Skype Spam And Phishing Campaign
Going by posts on the Internet, including, as of now, 122 pages of comments in a single thread on the Skype Community forum, there have also been reports of people getting fake links from LinkedIn, Baidu, and other domains. The links seem to be used as spam, but they may also contain malware. They are automatically sent to people’s entire contact list even when the account holder is not online.
The Skype team has responded with the following:
“We’ve been working on the spam problem some of you have experienced,” said Claudius, a Skype Community Manager, on the Skype Community forum.
“Whilst there has been no breach of the network, or malware exploit of a vulnerability, our investigations indicate that attackers are using a list of stolen usernames and their associated passwords to try and log into Skype accounts. Although most of their attempts are blocked or fail – many of the usernames they try don’t even exist as Skype usernames – a small percentage are successful.”
He added that, “Our conclusion is that this issue impacts customers who use, or have in the past used, the same username and password combination they use for Skype on other services as well, and at some time in the past have had those credentials stolen – possibly through a phishing attack or some other form of cybercriminal activity.”
The team also said it has taken steps to block some of the spam, but as long as the attackers have your Skype credentials, they can still use your account to spread these malicious links. Therefore, the best solution is to change your Skype passwords--you should also do this for other services where you may have re-used passwords that were exposed in previous data breaches, especially if you've re-used your old LinkedIn password for them.
We've asked Microsoft if it has any new insights into what's causing the Skype spam campaigns and whether they can be stopped. The company recently acquired LinkedIn, so it now owns both Skype and LinkedIn. Presumably, it should be able to help prevent further Skype account exposures by at least requiring users who are using the same password for both services to change things up a bit.
To check whether other passwords may have been exposed in other data breaches, you can use the independent tool provided at HaveIBeenPwned by Microsoft Regional Director and security expert Troy Hunt.