Microsoft admits hackers nabbed credit card info

Remember when Microsoft Store India was hacked, user data leaked, and passwords had been stored in plain text? Microsoft called the breach a "limited compromise" and assured customers that "databases storing credit card details and payment information were not affected." Try not to get whiplash as Microsoft now admits that financial data - credit card information - may have been compromised.

Do you recall when the Microsoft Store in India was hacked by a group of Chinese hackers dubbed Evil Shadow? It was more embarrassing than a defacement since the hackers breached the database and then leaked usernames and passwords which had been stored in plain text.

The website was taken down and replaced with a holding page that stated, "The Microsoft Store India is currently unavailable. Microsoft is working to restore access as quickly as possible." The Microsoft Store India site is still down; it was managed by third-party service provider Quasar Media.

In a statement, Microsoft called the breach a "limited compromise" of the company's online store in India. "The store customers have already been sent guidance on the issue and suggested immediate actions." Microsoft assured customers that "databases storing credit card details and payment information were not affected during this compromise."

Two weeks later . . .  well apparently the big M fibbed.

At the time of the hack, Evil Shadow claimed, "The data is very important. Any security enthusiasts are interested in the data." The hacking group added, "Even Microsoft-owned stores will also use clear text passwords."

Now blogger and India Microsoft customer Amit Agarwal reported:

If you ever used your credit card to shop at the Microsoft Online Store in India, it may be a good idea to stop everything you're doing and call your bank to get your credit card blocked. That's because your credit card number, your address and everything else that a fraud needs to use your credit card online, could later become available in the underground market.

Agarwal further speculated that Quasar Media "was probably storing customers confidential data in plain text inside a Microsoft Access database that hackers got hold of." He received a second email from Microsoft [PDF], but this one admits, "Further detailed investigation and review of data provided by the website operator revealed that financial information may have been exposed for some Microsoft Store India customers." Furthermore, customers were advised to contact their credit card provider and closely monitor their credit card account.

Microsoft has set up a helpline and a team of specialists for concerned customers because "Microsoft is committed to protecting customer privacy and takes this situation very seriously."

Like this? Here's more posts:

Follow me on Twitter @PrivacyFanatic

Copyright © 2012 IDG Communications, Inc.

Get the best of CSO ... delivered. Sign up for our FREE email newsletters!