I received a spam message via Skype today from a person who I normally think of as too sophisticated to do something silly like re-use passwords. And heard of another person who had also been compromised, but had absolutely no idea how it may have happened.
I learned as part of my research into what may have been the source of the compromises that if you have previously linked your Skype and Microsoft accounts, and have enabled two factor authentication for the Microsoft account, bad guys can still get access to your Skype if they have your old Skype username and password, because that log in path is not protected by the 2FA for Microsoft accounts.
There is a fix however – “merging” the two accounts, which is not the same as “linking” – details are here:
You’ll end up with just the one password for both your Skype and Microsoft accounts – the Microsoft account password – and apparently you will now be protected by the 2FA even when you use your old Skype username to log in.