Microsoft Store India website hacked, passwords exposed in plain text
Did you hear that Microsoft Store India online website hacked? In this article, I will discuss the news on the Microsoft India store website hacking and the rumors that passwords and user profile details were exposed in plain text.
If the reports are true, it is one of the most embarrassing moments for Microsoft India and Quasar Media Pvt Ltd which runs the Microsoft India online store under the lease agreement from Microsoft. According to the news, Microsoft Store India website is hacked and the passwords were exposed in plain text. The bigger concern is, some sources like TheVerge.com have stated that the hackers got access to the database where user profiles were stored in plain text. The email ids, names and passwords of Microsoft Store India users (www.microsoftstore.co.in) were exposed, the site claims. I was able to confirm that the site was hacked from the Google cache copy of the Microsoft store India website. Many websites have published a screen showing passwords in plain text, but I could not find anything from Google cache to prove this claim. Since it involve further exposing the private information, I have decided not to publish the screenshot of the exposed private user data.
Read the security flaw in SkyDrive-Hotmail integration, which I discovered just 1 day ago. It is more relevant in the context of hacking of Microsoft store website today. I am surprised how lightly the security of user data and files are taken at the Microsoft store site.
The engineers at Microsoft store are proactive reactive now and have taken the hacked Microsoft store (www.microsoft.co.in) down. You can no longer access the site. There are no official statements available on the Microsoft Store India hacking incident. How was the Microsoft Store India website hacked?
At this time, we have no information on how the hackers were able to get access to the server and the database. Microsoft or the third party company which runs the site has not made any official statements regarding this hacking incident. It is unclear whether they were able to detect the loop holes and block the doors for the hackers. It is possible that they shutdown the server because the user profile data including the passwords that were stored in plain text were exposed and published, if the news can be trusted. I noticed that TheVerge has published a screenshot of the user profile information which include the passwords in plain text. When was Microsoft Store India website hacked?
The Google Cache I retrieved now (12 February 7:15 GMT, 12:45 IST) shows the screen where the hackers message is displayed. Another Google cached copy with the timestamp 9 Feb 2012 19:46:50 GMT shows the real Microsoft Store India website before the hackers took over it. So the hacking has happened sometime between these two dates.
In the blog of Evil Shadow team, they have a post that claims the hacking incident. The blog post is dated 2012-2-11 15:23:53. Not sure what time zone it is.Is your account compromised by the hackers of Microsoft store website?
Many websites are showing screenshots of user profile data including email ids, passwords, name etc. Even though we could find such screenshots, we decided not to publish them to avoid adding further damage to the people whos information is compromised.
If you have ever used Microsoft Store India website before it was hacked and used the same email id and password elsewhere, rush now and change those passwords. We do not know when did hackers got access to those user data and is there any damage already done.
Did they really store the passwords in plain text?
It is very surprising and shocking to hear that the passwords were stored in plain text, if the news is right. Another possibility is, hackers decrypted the passwords and published in plain text. (I can't rule out that some one just started spreading this as a rumor and there was no compromise of user data.) Not hashing the passwords was a serious mistake from the part of the company, I believe. I think it should be made mandatory to all online shops to disclose whether passwords are hashed or not while saving in their database. Now a days, even small websites are storing passwords encrypted or hashed but an online store of a big company like Microsoft is storing them in plain text is unbelievable. In another website I saw a comment by a reader saying when passwords are stored in plain text, it is not called hacking, but is called reading.
Let us wait another day to find out if the passwords and user profile information were really stored in plain text and how much of them were exposed.
Update: Here is some information from the Google cache of the Microsoft Store India website. It claims it is operated by Quasar Media Pvt. Ltd. http://www.microsoftstore.co.in is a Site operated by by Quasar Media Pvt. Ltd.(“We, “Our", “Us"), a Company registered under the Companies Act, 1956 and having its registered office at Vishal House, 136A, 2nd Floor, Zamrudpur, Opp. LSR College, New Delhi – 110 048.
However, the domain name microsoftstore.co.in is registered in the name of Microsoft Corporation. Read more about the ownership of Microsoft online store in India.See more screenshots I retrieved from a blog that posted the hacking news