[Swifty]

I wouldn't say there was any social engineering here, they asked for some detail's the hacker was able to give them.

This just highlights the problem of having accounts that rely in the same email address that are used for identification.

Also im not sure how the author experts someone to add 5 temp accounts to bypass the Microsoft support, when you would need to have the password and have logged in to add them. In which case there already in the account and wouldn't need to contact Microsoft. (unless there is a way to add Skype contacts without being logged in.)

[Uchikoma]

Not with a hack, but you could create 5 accounts and ask the target to connect for some reason. By scripting this, I guess you get enough people where you "know" 5 accounts.

[acqq]

Yes, if I understood the author has 1000 contacts in his Skype, FWIW.

[tallanvor]

Yeah, that's my thought as well. He was the one who either accepted multiple fake Skype accounts as contacts or let the attacker know 5 of his contacts. I'm not sure that Microsoft failed here, rather it sounds like he did.

[takluyver]

Most of us wouldn't think of contacts as security information that needs to be kept private. Unless you've been through the account recovery process yourself, you're very unlikely to worry that accepting a contact request could let someone else hijack your account.

This is even worse than all those 'Where were you born?' security questions. At least with those you see that the site is using it for security, and you can choose to make up an answer. This way, you don't know what you need to keep secret until it's too late.