Sign in with
Sign up | Sign in

Microsoft Store India Hacked, Passwords Stored in Plain Text

By - Source: WP Sauce | B 33 comments

Microsoft targeted in latest attack.

Last summer's PSN breach has meant companies are being watched more closely than ever when it comes to protecting users and securing their networks. This week, Microsoft has found itself to be the latest victim of hacking as hackers targeted the Microsoft Store India. Owned and run by Quasar Media, the site yesterday displayed (Google Cache) this welcome message to visitors to the site:

Those responsible for the attack go by the name of EvilShadow team and appear to be Chinese. The group has not yet provided a reason for the attack, except to say that "unsafe system will be baptized." According to Windows Phone Sauce, EvilShadow managed to access the site's database where users' passwords were being stored in plain text. The group has posted a screenshot showing a sample of the stolen login credentials on its blog. Needless to say, if you're registered with Microsoft Store India, now might be a good time to change your password. Microsoft has not yet commented on the breach, and Quasar Media, the company that operates MS Store India, hasn't released a statement regarding the incident either.

The site seems to be back in right hands, but it isn't up and running as normal just yet. The homepage right now shows an apology for the store being down:

The Microsoft Store India is currently unavailable. Microsoft is working to restore access as quickly as possible. We apologize for any inconvenience this may have caused.

We'll keep you posted regarding any statement from Microsoft of Quasar Media.

Discuss
Display all 33 comments.
This thread is closed for comments
Top Comments
  • 18 Hide
    Netherscourge , February 13, 2012 2:02 PM
    Plain Text Password storage.

    The latest in Microsoft Security.
  • 18 Hide
    Darkerson , February 13, 2012 1:45 PM
    /facepalm

    You would think some of these companies would learn to stop storing all this info in plain text format, especially with all the hacking events last year. Guess not...
  • 16 Hide
    mihaimm , February 13, 2012 2:38 PM
    phamhlamI hope you morons read the article and know that the store wasn't operated by microsoft but by Quasar Media. If Microsoft ran it, this would not be how they operate.

    It's like McDonald's restaurants... not operated by them, but you're still gonna blame them for all the trash you eat. Same thing here... When I see a Microsoft store I don't care/know it's operated by Quasar Media. M$ should really impose standards on the companies the're working with, not just care about how much money they can make.
Other Comments
  • 18 Hide
    Darkerson , February 13, 2012 1:45 PM
    /facepalm

    You would think some of these companies would learn to stop storing all this info in plain text format, especially with all the hacking events last year. Guess not...
  • 12 Hide
    mihaimm , February 13, 2012 1:51 PM
    It's incredible that software companies still store actual passwords in plain text. This should be plain illegal as many users have the same password for the different sites they use and the only reason to store it in plain text is to try to access the other sites...
  • 18 Hide
    Netherscourge , February 13, 2012 2:02 PM
    Plain Text Password storage.

    The latest in Microsoft Security.
  • 10 Hide
    back_by_demand , February 13, 2012 2:03 PM
    One of the passwords was the name of a famous cricket player

    MuttiahMuralitharan

    Hardly plain text though is it....
  • -4 Hide
    alyoshka , February 13, 2012 2:19 PM
    Well, looks like J got it the PM...:) 
  • -2 Hide
    billybobser , February 13, 2012 2:24 PM
    I imagine even software written in-house by companies should have evolved past plain text password storage, why bother using software at all if you're going to do that.
  • 9 Hide
    phamhlam , February 13, 2012 2:26 PM
    I hope you morons read the article and know that the store wasn't operated by microsoft but by Quasar Media. If Microsoft ran it, this would not be how they operate.
  • 16 Hide
    mihaimm , February 13, 2012 2:38 PM
    phamhlamI hope you morons read the article and know that the store wasn't operated by microsoft but by Quasar Media. If Microsoft ran it, this would not be how they operate.

    It's like McDonald's restaurants... not operated by them, but you're still gonna blame them for all the trash you eat. Same thing here... When I see a Microsoft store I don't care/know it's operated by Quasar Media. M$ should really impose standards on the companies the're working with, not just care about how much money they can make.
  • -2 Hide
    mobrocket , February 13, 2012 2:38 PM
    MFST store inda... what the hell do they even offer there?
    software on how to come to america and get a tax free business?
  • -1 Hide
    __-_-_-__ , February 13, 2012 2:41 PM
    back_by_demandOne of the passwords was the name of a famous cricket playerMuttiahMuralitharanHardly plain text though is it....

    you didn't get it. plain text is opposed to encrypted passwords. so MuttiahMuralitharan wouldn't appear like plain text "MuttiahMuralitharanHardly" it would appear like 2d45yjehdtw9mr4wje879dthw894fjg9gh8794gferio
    so even if they could get the passwords they couldn't use them because they were encrypted. that is, if they are unable to crack the hash. most times they are encrypted with just md5, which is very weak and crackable.


    The problem here is that it's very easy for a company to implement better security. Yet microsoft a multi billion dollar company is unable to implement extremely simple security measures to protect their costumers data. And outsourcing it to another company is not an excuse for security failures.
    So any script kiddie with some skills is capable of exploiting those breaches in security and then this happens. Anyone with basic programming skills and some hours of googling is capable of doing this. You would be surprised so easy it is in most cases.
  • 2 Hide
    vishalaestro , February 13, 2012 2:53 PM
    what is the meaning of unsafe systems will be baptized
  • 13 Hide
    peevee , February 13, 2012 3:01 PM
    Easily hackable system? Plaintext passwords? Sounds like Indian programmers indeed... :) 
  • 4 Hide
    peevee , February 13, 2012 3:05 PM
    mihaimmIt's incredible that software companies still store actual passwords in plain text. This should be plain illegal as many users have the same password for the different sites they use and the only reason to store it in plain text is to try to access the other sites...


    Make it illegal in the US, they just offshore it to India. Seems cheaper this way... until ALL chickens are counted. Some VP got his bonus. :) 
  • 6 Hide
    trevorvdw , February 13, 2012 3:57 PM
    I don't know about you but I feel very secure in the knowledge that all my financial information has been sent to Indian support centers.
  • 10 Hide
    back_by_demand , February 13, 2012 3:59 PM
    __-_-_-__you didn't get it. plain text is opposed to encrypted passwords. so MuttiahMuralitharan wouldn't appear like plain text "MuttiahMuralitharanHardly" it would appear like 2d45yjehdtw9mr4wje879dthw894fjg9gh8794gferioso even if they could get the passwords they couldn't use them because they were encrypted. that is, if they are unable to crack the hash. most times they are encrypted with just md5, which is very weak and crackable.The problem here is that it's very easy for a company to implement better security. Yet microsoft a multi billion dollar company is unable to implement extremely simple security measures to protect their costumers data. And outsourcing it to another company is not an excuse for security failures.So any script kiddie with some skills is capable of exploiting those breaches in security and then this happens. Anyone with basic programming skills and some hours of googling is capable of doing this. You would be surprised so easy it is in most cases.

    Ya know, if you have to explain a joke it just aint funny anymore...
  • 5 Hide
    wiyosaya , February 13, 2012 4:04 PM
    Outsourcing :sarcastic: 
  • 1 Hide
    nukemaster , February 13, 2012 4:39 PM
    I like how one user has an email that is firstnamelastname@xxx.xxx, and a password that is firstnamelastname. Even with the block does not help them.....
  • 1 Hide
    elkein , February 13, 2012 4:45 PM
    That is a facepalm, but this is what happens when you let foreign divisions have their own ways. My line of work is all government/domestic. My wife however manages a has a significant roll in outsource management for her company (to India and China.) Truth be told it gets very old and expensive micromanaging foreign offices with a constant stream of talented managers flown over to help them along, and they just don't quite produce results on their own.
  • 0 Hide
    Netherscourge , February 13, 2012 4:51 PM
    phamhlamI hope you morons read the article and know that the store wasn't operated by microsoft but by Quasar Media. If Microsoft ran it, this would not be how they operate.



    People trash Apple for demanding 100% control over anything with their name on it. They do it so that everyone follows the same guidelines and ensures a complete quality umbrella for all their branches.

    But when Microsoft lets their outsourced vendors run a shop with a crooked security system, it's "ok" because at least their products are easier to hack and pirate stuff with.
  • 3 Hide
    A Bad Day , February 13, 2012 8:01 PM
    "Bob, we need to invest a few dozen thousand of dollars in upgrading our security. Look at PSN."

    "That's too expensive, it's extremely unlikely that someone is going to crack our system."


    Security maintenance at its best.
Display more comments