Microsoft Store India website hacked, passwords exposed in plain text


Did you hear that Microsoft Store India online website hacked? In this article, I will discuss the news on the Microsoft India store website hacking and the rumors that passwords and user profile details were exposed in plain text.

If the reports are true, it is one of the most embarrassing moments for Microsoft India and Quasar Media Pvt Ltd which runs the Microsoft India online store under the lease agreement from Microsoft. According to the news, Microsoft Store India website is hacked and the passwords were exposed in plain text. The bigger concern is, some sources like TheVerge.com have stated that the hackers got access to the database where user profiles were stored in plain text. The email ids, names and passwords of Microsoft Store India users (www.microsoftstore.co.in) were exposed, the site claims. I was able to confirm that the site was hacked from the Google cache copy of the Microsoft store India website. Many websites have published a screen showing passwords in plain text, but I could not find anything from Google cache to prove this claim. Since it involve further exposing the private information, I have decided not to publish the screenshot of the exposed private user data.

Read the security flaw in SkyDrive-Hotmail integration, which I discovered just 1 day ago. It is more relevant in the context of hacking of Microsoft store website today. I am surprised how lightly the security of user data and files are taken at the Microsoft store site.

The engineers at Microsoft store are proactive reactive now and have taken the hacked Microsoft store (www.microsoft.co.in) down. You can no longer access the site. There are no official statements available on the Microsoft Store India hacking incident.

Microsoft Store website hacked - screenshot

How was the Microsoft Store India website hacked?


At this time, we have no information on how the hackers were able to get access to the server and the database. Microsoft or the third party company which runs the site has not made any official statements regarding this hacking incident. It is unclear whether they were able to detect the loop holes and block the doors for the hackers. It is possible that they shutdown the server because the user profile data including the passwords that were stored in plain text were exposed and published, if the news can be trusted. I noticed that TheVerge has published a screenshot of the user profile information which include the passwords in plain text.

When was Microsoft Store India website hacked?


The Google Cache I retrieved now (12 February 7:15 GMT, 12:45 IST) shows the screen where the hackers message is displayed. Another Google cached copy with the timestamp 9 Feb 2012 19:46:50 GMT shows the real Microsoft Store India website before the hackers took over it. So the hacking has happened sometime between these two dates.

In the blog of Evil Shadow team, they have a post that claims the hacking incident. The blog post is dated 2012-2-11 15:23:53. Not sure what time zone it is.

Is your account compromised by the hackers of Microsoft store website?


Many websites are showing screenshots of user profile data including email ids, passwords, name etc. Even though we could find such screenshots, we decided not to publish them to avoid adding further damage to the people whos information is compromised.

If you have ever used Microsoft Store India website before it was hacked and used the same email id and password elsewhere, rush now and change those passwords. We do not know when did hackers got access to those user data and is there any damage already done.

Did they really store the passwords in plain text?

It is very surprising and shocking to hear that the passwords were stored in plain text, if the news is right. Another possibility is, hackers decrypted the passwords and published in plain text. (I can't rule out that some one just started spreading this as a rumor and there was no compromise of user data.) Not hashing the passwords was a serious mistake from the part of the company, I believe. I think it should be made mandatory to all online shops to disclose whether passwords are hashed or not while saving in their database. Now a days, even small websites are storing passwords encrypted or hashed but an online store of a big company like Microsoft is storing them in plain text is unbelievable. In another website I saw a comment by a reader saying when passwords are stored in plain text, it is not called hacking, but is called reading.

Let us wait another day to find out if the passwords and user profile information were really stored in plain text and how much of them were exposed.

Update: Here is some information from the Google cache of the Microsoft Store India website. It claims it is operated by Quasar Media Pvt. Ltd. http://www.microsoftstore.co.in is a Site operated by by Quasar Media Pvt. Ltd.(“We, “Our”, “Us”), a Company registered under the Companies Act, 1956 and having its registered office at Vishal House, 136A, 2nd Floor, Zamrudpur, Opp. LSR College, New Delhi – 110 048.

However, the domain name microsoftstore.co.in is registered in the name of Microsoft Corporation. Read more about the ownership of Microsoft online store in India.


See more screenshots I retrieved from a blog that posted the hacking news




Attachments

Article by Tony John
Tony John is a professional blogger from India, who started his first Weblog in 1998 at Tripod.com. Tony switched to blogging as a passion blended business in the year 2000 and currently operates several popular web properties including IndiaStudyChannel.com, Techulator.com, dotnetspider.com and many more.

Follow Tony John or read 636 articles authored by Tony John

Related Articles

XPS Format and Microsoft XPS Viewer

This is an article which talks about the fabulous XPS format from Microsoft and the viewer software which comes with Windows Vista and Windows 7 and surely gives a competitive hit to Adobe's PDF.

Integration of Microsoft Software with iPhone, iPad and Android devices

In this article, I am going to discuss about integration of iPhone, iPad and Android applications into Microsoft infrastructure. We know that Apple uses its own operating system called iOS for its devices where as Microsoft has its own operating system called Windows. Till now, both are platform dependent applications and we can't use Microsoft applications on Apple devices.

The new Microsoft logo

Global software giant Microsoft has come up with a new logo after 25 years.Read more here.

Cloud computing Benefits

Learn basic details about Cloud computing which is taking over internet arena in the recent years.

More articles: Microsoft

Comments

No responses found. Be the first to comment...


  • Do not include your name, "with regards" etc in the comment. Write detailed comment, relevant to the topic.
  • No HTML formatting and links to other web sites are allowed.
  • This is a strictly moderated site. Absolutely no spam allowed.
  • Name:
    Email: