Following the hacking of Microsoft’s India Store by Chinese group Evil Shadow, the company has sent an advisory e-mail to registered users asking them to keep track of their credit card accounts for any unusual activity, admitting that Financial information could have been compromised during the attack. The company has also set up a helpline for customers where they can call between 9 a.m. and 9 p.m. at 1-800-102-1100.
This looks like a serious security oversight on the part of Microsoft and e-solutions provider Quasar Media, which was appointed by Microsoft India to own, maintain and operate the online store. It appears that the site was not just storing user credentials in plain text, but also storing credit card data, which is usually exchanged over a secure payment gateway. It also might be the case that there was a breach at the payment gateway integration level, or the company has detected some holes.
Nikhil adds: Given the number of instances of hacking of websites – especially financial websites – that have been made public in the last year itself, it’s surprising that Microsoft continued to store passwords as plain text, and retained credit card information. This incident should serve as a warning to both consumers and e-commerce players. There should be mandatory disclosure from e-commerce companies about the kind of user information they collect and store, and processes by which users can delete their information.
Here is the text of the e-mail from Microsoft:
In a previous email on Feb. 12, 2012, we notified you there may have been unauthorized access to some of your customer account information on the Microsoft Store India site (http://www.microsoftstore.co.in) operated by a third party. We suggested you reset your password, among other security precautions, and to contact us with further questions.
Further detailed investigation and review of data provided by the website operator revealed that financial information may have been exposed for some Microsoft Store India customers. So, as an additional precaution, if you used a credit card on the Microsoft Store India website, we recommend the following actions:
Contact your credit card provider and alert them to potential unauthorized access to your account information.
Closely monitor and review your credit card account for abnormal activity, and if seen, immediately contact your credit card provider.
Microsoft is committed to protecting customer privacy and takes this situation very seriously. We understand that you may have additional questions, so we have set up a team of specialists to address any of your concerns. Please call them between 9 a.m. and 9 p.m. at 1-800-102-1100.
General Manager, Microsoft India