It's one of the most glaring security holes I've ever seen from a major online service provider: Anyone could have hijacked your Skype account if they knew the email address you used to set up your account.
Just your email address. That's it.
No last four digits of your credit card. No password. No associated Microsoft ID. No actual access to your email account.
All they needed to know is your email address.
How scary is that? Especially for people who have purchased Skype credits or other services and have auto-recharge enabled? Someone could have made thousands of dollars of calls from a hijacked account.
Even more alarming, this may have been a problem for at least 2 months, yet it was just addressed today.
Yet if you think there's nothing you could have done to protect yourself from this kind of unanticipated security lapse by a provider many expect should be trustworthy, you're wrong. Sorry to say I told you so (OK, maybe not all that sorry), but Kaspersky's suggested workaround is something I advised in my 60-minute security makeover: Don't use a publicly known email address for account login and password-reset contact info on other accounts.
Instead, use one or more separate addresses that you reserve only for this use and not for any other type of communication. This makes it harder for someone who knows your personal or business email address to use that information to gain access to other accounts.
Kaspersky advised this morning: "To protect yourself against this exploit, we recommend changing the e-mail address associated with the Skype account to a new, never-before-used address. This should prevent hackers from guessing your e-mail associated with Skype and hijacking it."
Heeding that advice for all your accounts -- or at least the ones without two-factor authentication enabled -- seems a lot less like security paranoia and a lot more like a sensible approach today.