Updated: Microsoft India’s Online Store Hacked; Reportedly Stored User Data In Plain Text


Microsoft India’s online store was hacked by a Chinese group identified as Evil Shadow, reports WPSauce (via ZDNet). Making things worse for the Redmond giant, the screenshots posted on HackTeach reveal that the company had stored both usernames and passwords in plain text, potentially exposing these credentials to the public. While the

site was down at the time of writing this post, and a google cache copy suggests that the site was indeed hacked by Evil Shadow team, it must be noted that MediaNama is unable to verify the authenticity of the database screenshot below. Also the motive behind the hack attempt is not clear, though the message left behind indicates that it was to expose the security flaw.

Whose mistake? The site’s Terms of use suggests that it was operated by e-solutions provider Quasar Media, which was appointed by Microsoft India to “own, maintain and operate the online store”, and not directly by Microsoft. That being said, we still don’t understand why companies are storing credentials in plain text rather than encrypting it, which is one of the most basic security protocol to be maintained by a website dealing with user data. Crazeal (previously Sosasta) had also committed a similar mistake last year, which led to e-mail addresses and passwords of 300,000 users being publicly available on search engines.

Confirming the hack through an email sent to all the affected users, Microsoft India stated that there had been “unauthorized access to some of its customer account information which included non-financial information like e-mail address, password, order details and shipping address”, however the databases that stored credit card details and payment information haven’t been affected during this hack. It said:

We are writing to inform you that there may have been unauthorized access to some of your customer account information on Microsoft Store India (http://www.microsoftstore.co.in/). We have confirmed that databases storing credit card details and payment information were not affected during this compromise. However, exposed account details may include non-financial related information including e-mail address, password, order details and shipping address.

Microsoft Store takes this situation very seriously, and the company is diligently working to remedy the issue and keep our customers protected. We need your help in this regard and we ask that you please take the following steps to prohibit any further unauthorized access to your information.

Precautions You Should Take

In order to secure your account information, Microsoft Store will take the action to re-set your password. Please follow these steps to ensure your privacy is protected:

1. If you use the same e-mail and password combination on any other sites, including non-Microsoft websites or services, you should proactively change the password immediately to ensure your personal information is protected.

2. You will receive an e-mail with a temporary password and a prompt to create a new password. Please note, the password reset relates only to Microsoft Store India.

3. Once you receive the e-mail you should immediately create a new password, one that is both secure and familiar to you.

Microsoft Store is Here to Help

We understand that you may have additional questions and Microsoft Store is here to help. If you have specific questions about your Microsoft Store account or want more information about computing and personal security please contact us at 1800-102-1100.

We apologize for any inconvenience this incident might cause.

Thank you,
Microsoft Store India

 

Category : Microsoft, News | Tags : ,

  • http://twitter.com/punkedge Pankaj Bengani

    The ones who get caught are thieves, dunno how many more companies are doing things like these. This line almost had me burst out of laughter “Microsoft Store takes this situation very seriously, and the company is
    diligently working to remedy the issue and keep our customers protected”. I’m sorry but nothing can be done now, if only they would have worked diligently earlier & taken such things seriously. wakeup call to other e-com & related websites. Jaago.

  • http://www.facebook.com/hemant.charya Hemant Charya

    Expect shit to happen when “ad agencies” make “websites”.