Microsoft India's online store was hacked by a Chinese group identified as Evil Shadow, reports WPSauce (via ZDNet). Making things worse for the Redmond giant, the screenshots posted on HackTeach reveal that the company had stored both usernames and passwords in plain text, potentially exposing these credentials to the public. While the site was down at the time of writing this post, and a google cache copy suggests that the site was indeed hacked by Evil Shadow team, it must be noted that MediaNama is unable to verify the authenticity of the database screenshot below. Also the motive behind the hack attempt is not clear, though the message left behind indicates that it was to expose the security flaw. Whose mistake? The site's Terms of use suggests that it was operated by e-solutions provider Quasar Media, which was appointed by Microsoft India to "own, maintain and operate the online store", and not directly by Microsoft. That being said, we still don't understand why companies are storing credentials in plain text rather than encrypting it, which is one of the most basic security protocol to be maintained by a website dealing with user data. Crazeal (previously Sosasta) had also committed a similar mistake last year, which led to e-mail addresses and passwords of 300,000 users being publicly available on search engines. Confirming the hack through an email sent to all the affected users, Microsoft India stated that there had been "unauthorized access to some of its customer account information which included non-financial information like e-mail address, password, order details and shipping…
