Microsoft Store in India hacked, user data leaked, passwords stored in plain text

The Microsoft Store India was hacked by Evil Shadow, a team of Chinese hackers, who tagged the site with 'Unsafe system will be baptized.' More embarrassing than the defacement, the hackers breached the database and then leaked usernames and passwords which had been protected with no encryption. That's right, Microsoft which supposedly takes privacy very seriously, had stored passwords as plain text in the Microsoft Store.

The Microsoft Store India was hacked by Evil Shadow, a team of Chinese hackers who left a "black page" ( tagged with, "Unsafe system will be baptized." But the hack goes well beyond a defacement into embarrassment. Not only was the customer database breached, and usernames and passwords stolen, but there was no protection, no encryption since the site stored passwords as plain text.

After hacking the Indian website for buying Microsoft products late Sunday night, the hackers obscured the full usernames and passwords but posted screenshots on a blog ( belonging to 7z1, a member of the Evil Shadow team. According to 7z1, a Chinese 'patriotic hacker', the Microsoft Store in India was marked with a Chinese flag because the hacking group is from China. The home page was defaced to make the "more powerful Microsoft aware of this issue." While modifying the home page, the Evil Shadow Team "encountered some resistance" before overcoming it. 7z1 wrote:

The data is very important. Any security enthusiasts are interested in the data. We have made some of the data from the Microsoft India Mall, this behavior is designed to showcase Even Microsoft-owned stores will also use clear text passwords. Data no more value in China.

HackTeach explained the hack of Microsoft India Mall and access to the server permissions marked the "establishment" of the group Evil Shadow. "The organization is scattered in the civil security enthusiasts with a certain strength, mainly for foreign penetration." HackTeach also included a screenshot of the unencrypted database.

A Microsoft statement called the breach a "limited compromise" of the company's online store in India. "The store customers have already been sent guidance on the issue and suggested immediate actions."

Again from HackTeach, the screenshot below shows Microsoft's privacy statement file at the top. That is one of Microsoft's favorite quotes sent to me, how Microsoft takes its consumers' privacy very seriously, and privacy is very important to Microsoft. Just the same, consumer names, email addresses and passwords were not handled so securely or privately in the Indian Microsoft store since they were all stored in plain text. An explanation? The Microsoft site is allegedly managed by a third party service provider and is still down with the message, "The Microsoft Store India is currently unavailable. Microsoft is working to restore access as quickly as possible."

According to Reuters, "The Indian edition of the Microsoft Store is operated by Indian company Quasar Media. A spokesman said the company was investigating. 'I am not sure when the site will be up again or what happened,' spokesman Rahul Roy said.

Like this? Here's more posts:

Follow me on Twitter @PrivacyFanatic

Copyright © 2012 IDG Communications, Inc.

What is security's role in digital transformation?