Microsoft Store India Hacked, Passwords Stored in Plain Text

Status
Not open for further replies.

Darkerson

Distinguished
Oct 28, 2009
706
0
18,990
/facepalm

You would think some of these companies would learn to stop storing all this info in plain text format, especially with all the hacking events last year. Guess not...
 

mihaimm

Distinguished
Apr 6, 2009
97
0
18,630
It's incredible that software companies still store actual passwords in plain text. This should be plain illegal as many users have the same password for the different sites they use and the only reason to store it in plain text is to try to access the other sites...
 

billybobser

Distinguished
Aug 25, 2011
432
0
18,790
I imagine even software written in-house by companies should have evolved past plain text password storage, why bother using software at all if you're going to do that.
 

phamhlam

Distinguished
Aug 24, 2011
384
0
18,810
I hope you morons read the article and know that the store wasn't operated by microsoft but by Quasar Media. If Microsoft ran it, this would not be how they operate.
 

mihaimm

Distinguished
Apr 6, 2009
97
0
18,630
[citation][nom]phamhlam[/nom]I hope you morons read the article and know that the store wasn't operated by microsoft but by Quasar Media. If Microsoft ran it, this would not be how they operate.[/citation]
It's like McDonald's restaurants... not operated by them, but you're still gonna blame them for all the trash you eat. Same thing here... When I see a Microsoft store I don't care/know it's operated by Quasar Media. M$ should really impose standards on the companies the're working with, not just care about how much money they can make.
 

__-_-_-__

Distinguished
Feb 19, 2009
419
0
18,780
[citation][nom]back_by_demand[/nom]One of the passwords was the name of a famous cricket playerMuttiahMuralitharanHardly plain text though is it....[/citation]
you didn't get it. plain text is opposed to encrypted passwords. so MuttiahMuralitharan wouldn't appear like plain text "MuttiahMuralitharanHardly" it would appear like 2d45yjehdtw9mr4wje879dthw894fjg9gh8794gferio
so even if they could get the passwords they couldn't use them because they were encrypted. that is, if they are unable to crack the hash. most times they are encrypted with just md5, which is very weak and crackable.


The problem here is that it's very easy for a company to implement better security. Yet microsoft a multi billion dollar company is unable to implement extremely simple security measures to protect their costumers data. And outsourcing it to another company is not an excuse for security failures.
So any script kiddie with some skills is capable of exploiting those breaches in security and then this happens. Anyone with basic programming skills and some hours of googling is capable of doing this. You would be surprised so easy it is in most cases.
 

peevee

Distinguished
Dec 5, 2011
58
0
18,630
[citation][nom]mihaimm[/nom]It's incredible that software companies still store actual passwords in plain text. This should be plain illegal as many users have the same password for the different sites they use and the only reason to store it in plain text is to try to access the other sites...[/citation]

Make it illegal in the US, they just offshore it to India. Seems cheaper this way... until ALL chickens are counted. Some VP got his bonus. :)
 

trevorvdw

Distinguished
Feb 13, 2007
143
0
18,680
I don't know about you but I feel very secure in the knowledge that all my financial information has been sent to Indian support centers.
 

back_by_demand

Splendid
BANNED
Jul 16, 2009
4,821
0
22,780
[citation][nom]__-_-_-__[/nom]you didn't get it. plain text is opposed to encrypted passwords. so MuttiahMuralitharan wouldn't appear like plain text "MuttiahMuralitharanHardly" it would appear like 2d45yjehdtw9mr4wje879dthw894fjg9gh8794gferioso even if they could get the passwords they couldn't use them because they were encrypted. that is, if they are unable to crack the hash. most times they are encrypted with just md5, which is very weak and crackable.The problem here is that it's very easy for a company to implement better security. Yet microsoft a multi billion dollar company is unable to implement extremely simple security measures to protect their costumers data. And outsourcing it to another company is not an excuse for security failures.So any script kiddie with some skills is capable of exploiting those breaches in security and then this happens. Anyone with basic programming skills and some hours of googling is capable of doing this. You would be surprised so easy it is in most cases.[/citation]
Ya know, if you have to explain a joke it just aint funny anymore...
 

elkein

Distinguished
Mar 8, 2010
110
0
18,690
That is a facepalm, but this is what happens when you let foreign divisions have their own ways. My line of work is all government/domestic. My wife however manages a has a significant roll in outsource management for her company (to India and China.) Truth be told it gets very old and expensive micromanaging foreign offices with a constant stream of talented managers flown over to help them along, and they just don't quite produce results on their own.
 

Netherscourge

Distinguished
May 26, 2009
390
0
18,780
[citation][nom]phamhlam[/nom]I hope you morons read the article and know that the store wasn't operated by microsoft but by Quasar Media. If Microsoft ran it, this would not be how they operate.[/citation]


People trash Apple for demanding 100% control over anything with their name on it. They do it so that everyone follows the same guidelines and ensures a complete quality umbrella for all their branches.

But when Microsoft lets their outsourced vendors run a shop with a crooked security system, it's "ok" because at least their products are easier to hack and pirate stuff with.
 

A Bad Day

Distinguished
Nov 25, 2011
2,256
0
19,790
"Bob, we need to invest a few dozen thousand of dollars in upgrading our security. Look at PSN."

"That's too expensive, it's extremely unlikely that someone is going to crack our system."


Security maintenance at its best.
 

razor512

Distinguished
Jun 16, 2007
2,130
68
19,890
Many companies try to avoid using encryption where the passwords are salted and hashed to something that is resource consuming like AES256 because it requires additional hardware, (servers, and other infrastructure). Since their main motivation is profit, they will often go with the bare minimum just to get the service working, unless the market demands something better/ more secure. Until the majority of computer users start working on gaining more understanding of encryption technologies and the concept behind increasing entropy in their passwords, many companies will be reluctant to invest in more secure systems (especially if any fines they get, ends up being cheaper than implementing better security).
 

back_by_demand

Splendid
BANNED
Jul 16, 2009
4,821
0
22,780
[citation][nom]Netherscourge[/nom]People trash Apple for demanding 100% control over anything with their name on it. They do it so that everyone follows the same guidelines and ensures a complete quality umbrella for all their branches.But when Microsoft lets their outsourced vendors run a shop with a crooked security system, it's "ok" because at least their products are easier to hack and pirate stuff with.[/citation]
No one thinks it is OK, but at least we all know it's not directly Microsofts fault, if they were directly in charge you know for a fact this wouldn't happen, chalk this one up to proving that if you don't stand directly over someones shoulder human nature kicks in a people get stupid and lazy.
 

beayn

Distinguished
Sep 17, 2009
947
0
18,990
People always blame the company in these cases but having worked with many different IT people, I've come to the conclusion that it doesn't matter what policies your company has, there's always some idiot manager who thinks he knows enough to interview his employees. He doesn't have qualified people present at the interview which leaves the door open for idiots who bluff their way through the whole thing. These people barely get by keeping the network running and you end up with stupid shit like passwords stored in plain text.

I run into this all the time. When people give job interviews, they really should hire an IT consultant to ensure said person knows what he's doing.

We recently released a hospital IT contract to an idiot who bluffed his way through the interview. This "Professional" then asked me how to allow someone on the domain access to a shared folder. People's lives can be in danger and this guy is in charge of ensuring vital data is accessible...

 
Status
Not open for further replies.