Microsoft Store India Hacked, Passwords Stored in Plain Text

By Jane McEntegart
published

Microsoft targeted in latest attack.

Last summer's PSN breach has meant companies are being watched more closely than ever when it comes to protecting users and securing their networks. This week, Microsoft has found itself to be the latest victim of hacking as hackers targeted the Microsoft Store India. Owned and run by Quasar Media, the site yesterday displayed (Google Cache) this welcome message to visitors to the site:

Those responsible for the attack go by the name of EvilShadow team and appear to be Chinese. The group has not yet provided a reason for the attack, except to say that "unsafe system will be baptized." According to Windows Phone Sauce, EvilShadow managed to access the site's database where users' passwords were being stored in plain text. The group has posted a screenshot showing a sample of the stolen login credentials on its blog. Needless to say, if you're registered with Microsoft Store India, now might be a good time to change your password. Microsoft has not yet commented on the breach, and Quasar Media, the company that operates MS Store India, hasn't released a statement regarding the incident either.

The site seems to be back in right hands, but it isn't up and running as normal just yet. The homepage right now shows an apology for the store being down:

The Microsoft Store India is currently unavailable. Microsoft is working to restore access as quickly as possible. We apologize for any inconvenience this may have caused.

We'll keep you posted regarding any statement from Microsoft of Quasar Media.

Jane McEntegart
33 Comments Comment from the forums
  • Darkerson
    /facepalm

    You would think some of these companies would learn to stop storing all this info in plain text format, especially with all the hacking events last year. Guess not...
    Reply
  • mihaimm
    It's incredible that software companies still store actual passwords in plain text. This should be plain illegal as many users have the same password for the different sites they use and the only reason to store it in plain text is to try to access the other sites...
    Reply
  • Netherscourge
    Plain Text Password storage.

    The latest in Microsoft Security.
    Reply
  • back_by_demand
    One of the passwords was the name of a famous cricket player

    MuttiahMuralitharan

    Hardly plain text though is it....
    Reply
  • alyoshka
    Well, looks like J got it the PM...:)
    Reply
  • billybobser
    I imagine even software written in-house by companies should have evolved past plain text password storage, why bother using software at all if you're going to do that.
    Reply
  • phamhlam
    I hope you morons read the article and know that the store wasn't operated by microsoft but by Quasar Media. If Microsoft ran it, this would not be how they operate.
    Reply
  • mihaimm
    phamhlamI hope you morons read the article and know that the store wasn't operated by microsoft but by Quasar Media. If Microsoft ran it, this would not be how they operate.It's like McDonald's restaurants... not operated by them, but you're still gonna blame them for all the trash you eat. Same thing here... When I see a Microsoft store I don't care/know it's operated by Quasar Media. M$ should really impose standards on the companies the're working with, not just care about how much money they can make.
    Reply
  • mobrocket
    MFST store inda... what the hell do they even offer there?
    software on how to come to america and get a tax free business?
    Reply
  • __-_-_-__
    back_by_demandOne of the passwords was the name of a famous cricket playerMuttiahMuralitharanHardly plain text though is it....you didn't get it. plain text is opposed to encrypted passwords. so MuttiahMuralitharan wouldn't appear like plain text "MuttiahMuralitharanHardly" it would appear like 2d45yjehdtw9mr4wje879dthw894fjg9gh8794gferio
    so even if they could get the passwords they couldn't use them because they were encrypted. that is, if they are unable to crack the hash. most times they are encrypted with just md5, which is very weak and crackable.


    The problem here is that it's very easy for a company to implement better security. Yet microsoft a multi billion dollar company is unable to implement extremely simple security measures to protect their costumers data. And outsourcing it to another company is not an excuse for security failures.
    So any script kiddie with some skills is capable of exploiting those breaches in security and then this happens. Anyone with basic programming skills and some hours of googling is capable of doing this. You would be surprised so easy it is in most cases.
    Reply