[tallanvor]

Yeah, that's my thought as well. He was the one who either accepted multiple fake Skype accounts as contacts or let the attacker know 5 of his contacts. I'm not sure that Microsoft failed here, rather it sounds like he did.

[takluyver]

Most of us wouldn't think of contacts as security information that needs to be kept private. Unless you've been through the account recovery process yourself, you're very unlikely to worry that accepting a contact request could let someone else hijack your account.

This is even worse than all those 'Where were you born?' security questions. At least with those you see that the site is using it for security, and you can choose to make up an answer. This way, you don't know what you need to keep secret until it's too late.