Remember that nasty incident earlier this month where the online Microsoft storefront in India — whose operation, by the way, was outsourced to a local Indian company called Quasar Media — had their users’ passwords stored in plain text in the database? At the time, it was thought that no serious financial information was compromised.
However, Microsoft has just sent out a new followup email with users of the Microsoft Store India website stating otherwise:
In a previous email on Feb. 12, 2012, we notified you there may have been unauthorized access to some of your customer account information on the Microsoft Store India site (http://www.microsoftstore.co.in) operated by a third party. We suggested you reset your password, among other security precautions, and to contact us with further questions.
Further detailed investigation and review of data provided by the website operator revealed that financial information may have been exposed for some Microsoft Store India customers. So, as an additional precaution, if you used a credit card on the Microsoft Store India website, we recommend the following actions:
Contact your credit card provider and alert them to potential unauthorized access to your account information.
Closely monitor and review your credit card account for abnormal activity, and if seen, immediately contact your credit card provider.
Microsoft is committed to protecting customer privacy and takes this situation very seriously. We understand that you may have additional questions, so we have set up a team of specialists to address any of your concerns. Please call them between 9 a.m. and 9 p.m. at 1-800-102-1100.
General Manager, Microsoft India
Scary. Medianama is guessing that that perhaps Microsoft has learned that the hackers somehow breached the payment gateway itself, or that the site was also storing credit card payment credentials in plain text as well.
This is unfortunately a PR nightmare for Microsoft; having to retract a statement assuring customers that their financial data is safe reflects, well, horribly on them. But it’s worth noting that, while Microsoft is partly to blame here, we really need to aim the pitchforks and the riots at Quasar Media, the company that owned, operated, and managed the storefront. If you’re a client of theirs — low or high profile (which Quasar sadly has plenty of) — I strongly urge you to reconsider, lest you have a similar breach. No company that’s incompetent enough to store passwords in plain text deserves any business whatsoever, and we can only hope that Quasar suffers as a result.