Skype has disabled its password reset capability after hackers discovered a serious security hole that could let anyone take control of an account by knowing its email address.
The hack has reportedly been known for some months among Russian underground forums, but became more widely public on Wednesday.
Anyone who has received an email asking them if they want to reset their Skype password should check that it has not been taken over – and should reset the password themselves using the account details they have if so. However, captured accounts may have had their primary emails changed by any hackers who have grabbed them.
Skype, which was acquired by Microsoft in May 2011 for $8.5bn (£5.3bn), has more than 600 million registered users, and regularly sees more than 45 million online at any time.
The step-by-step explanation of how to hack the accounts was posted on a blog early on Wednesday, and gave simple instructions which used the "disposable account" facility offered by Skype to take control of existing accounts.
The key flaw is a web page in the password reset system, to which a token is also sent when a password reset request is made. That page allowed people to reset a password without having access to the email account itself. No email systems have been hacked.
Gaining control of a Skype account could let hackers use any credit to make calls, though the broader use is unclear. There are no details so far about how many accounts may have been hacked.
Skype moved quickly to block the hole, and said in a statement: "We have had reports of a new security vulnerability issue. As a precautionary step, we have temporarily disabled password reset as we continue to investigate the issue further. We apologise for the inconvenience, but user experience and safety is our first priority."
Microsoft is looking to integrate Skype and its Windows Live Messenger system in the next few months, pulling the instant messaging clients into Skype.
guardian.co.uk © Guardian News and Media Limited 2010