• United States



Microsoft admits hackers nabbed credit card info

Feb 28, 20123 mins
Data and Information SecurityData BreachMicrosoft

Remember when Microsoft Store India was hacked, user data leaked, and passwords had been stored in plain text? Microsoft called the breach a "limited compromise" and assured customers that "databases storing credit card details and payment information were not affected." Try not to get whiplash as Microsoft now admits that financial data - credit card information - may have been compromised.

Do you recall when the Microsoft Store in India was hacked by a group of Chinese hackers dubbed Evil Shadow? It was more embarrassing than a defacement since the hackers breached the database and then leaked usernames and passwords which had been stored in plain text.

The website was taken down and replaced with a holding page that stated, “The Microsoft Store India is currently unavailable. Microsoft is working to restore access as quickly as possible.” The Microsoft Store India site is still down; it was managed by third-party service provider Quasar Media.

In a statement, Microsoft called the breach a “limited compromise” of the company’s online store in India. “The store customers have already been sent guidance on the issue and suggested immediate actions.” Microsoft assured customers that “databases storing credit card details and payment information were not affected during this compromise.”

Two weeks later . . .  well apparently the big M fibbed.

At the time of the hack, Evil Shadow claimed, “The data is very important. Any security enthusiasts are interested in the data.” The hacking group added, “Even Microsoft-owned stores will also use clear text passwords.”

Now blogger and India Microsoft customer Amit Agarwal reported:

If you ever used your credit card to shop at the Microsoft Online Store in India, it may be a good idea to stop everything you’re doing and call your bank to get your credit card blocked. That’s because your credit card number, your address and everything else that a fraud needs to use your credit card online, could later become available in the underground market.

Agarwal further speculated that Quasar Media “was probably storing customers confidential data in plain text inside a Microsoft Access database that hackers got hold of.” He received a second email from Microsoft [PDF], but this one admits, “Further detailed investigation and review of data provided by the website operator revealed that financial information may have been exposed for some Microsoft Store India customers.” Furthermore, customers were advised to contact their credit card provider and closely monitor their credit card account.

Microsoft has set up a helpline and a team of specialists for concerned customers because “Microsoft is committed to protecting customer privacy and takes this situation very seriously.”

Like this? Here’s more posts:

  • Smile for the drone: Coming to police stations near you soon
  • 25 More Ridiculous FBI Lists: You Might Be A Terrorist If . . .
  • Firesheep moment for SCADA: Hacking critical infrastructure systems now as easy as pushing a button?
  • Photo, fingerprints, eye color, height required: Your crime? Selling used video games
  • Privacy Advocates Sue DHS for Big Bro Fake ‘Friends’ Monitoring Social Media
  • Mass Surveillance and No Privacy Bill is ‘For the Children’
  • Gov’t: You have no right to anonymous speech on Twitter
  • DARPA’s Spy Telescope Will Stream Real-Time Video from Any Spot on Earth
  • Busted! DOJ says you might be a felon if you clicked a link or opened email
  • Security Researchers: ‘Did Google Pull a Fast One on Firefox and Safari Users?’
  • Social Media Monitoring on Gov’t Steroids: Anything might come back to bite you
  • Woz on smartphones: Wishes his iPhone could do all his Android can
  • Data Privacy Day: Social media ‘private’ data is fair game for e-discovery in court
  • Do you give up a reasonable expectation of privacy by carrying a cell phone?

Follow me on Twitter @PrivacyFanatic

ms smith

Ms. Smith (not her real name) is a freelance writer and programmer with a special and somewhat personal interest in IT privacy and security issues. She focuses on the unique challenges of maintaining privacy and security, both for individuals and enterprises. She has worked as a journalist and has also penned many technical papers and guides covering various technologies. Smith is herself a self-described privacy and security freak.