Site   Web

December 7, 2012

Google’s Matt Cutts Shares Experience of Being Hacked

Hacking — it can happen to anyone; even Matt Cutts, head of the webspam team at Google.

Cutts took to Google+ this week to share his experience of his Skype account being hacked.

Cutts, who does not often use Skype, received four e-mails, written in Russian, through the application.

Due to the volume of e-mail Cutts receives daily, he opted not to translate the messages.

Then he received this e-mail:

“I am a researcher in the field of security. Unfortunately Skype support does not respond to a message about the vulnerability of their systems. You quadrupeds person and may be able to influence the situation. I apologize … Your password from skype account – [removed].  I also examine the security of your systems. If you’re interested, I can send you the results.
“With best regards….”

The next morning, it was reported by the hackers themselves that Skype had a security hole.

A Nov. 14 blog post — Hack any Skype account in six easy steps — offered detailed directions on hacking Skype user accounts. The blog pointed out a major flaw with the previous password reset system — users were able to reset a password without having access to the e-mail account in question.

Skype quickly remedied the situation, however.

“This issue affected some users where multiple Skype accounts were registered to the same e-mail address,” wrote Skype’s Leonas Sendrauskas in a Nov. 14 blog post. “We suspended the password reset feature temporarily this morning as a precaution and have made updates to the password reset process today so that it is now working properly.”

Skype also issued a statement saying, “We are reaching out to a small number of users who may have been impacted to assist as necessary.”

Cutts said he only uses Skype when he is a guest on This Week in Google.

“So it wasn’t until today (Dec. 5) that I tried to log in. Sure enough, my original password didn’t work,” he said. “As always, it sucks to get hacked. I’ve talked to a lot of people who have had their website hacked, and it really feels like a violation.

“In this case, I had a month of distance and the attacker sent me the new password, so it wasn’t really that stressful. It does suck that it was Skype’s fault though — the best security practices in the world don’t help if the vulnerability is on the provider’s side. If I had any money stored with Skype, I’d feel more angry and disappointed.”

Cutts said he is “doubly disappointed” that Skype did not contact him about being hacked.

“They said that they’d reach out to users who were impacted, but they never reached out to me. Are there other Skype users who were hacked that Skype hasn’t notified or helped?”

Surprisingly, Cutts is not overly annoyed with the hacker.

“I’m not that angry at the ‘security researcher’ who hacked my account. He e-mailed me to let me know the new password, which is about as polite and good-mannered as you can expect from someone hijacking your account.”

Cutts said while the hack was out of users’ hands in this particular case, account security is still wise.

He recommends using a two-step authentication, which adds an extra layer of security to one’s account. Google offers such a service. In addition to the user’s username and password, he or she must also enter a code that Google sends via text or voice message upon the user signing in.

This makes it more difficult for hackers to access one’s account because he or she would have to discover not only the password and username, but the code as well. Read more about the service here.

Cutts also suggests using a PIN or unlock pattern on one’s cellphone.