Microsoft Store India Hack Worse Than Anticipated, Financial Data Possibly Compromised

Remember that nasty incident earlier this month where the online Microsoft storefront in India — whose operation, by the way, was outsourced to a local Indian company called Quasar Media — had their users’ passwords stored in plain text in the database? At the time, it was thought that no serious financial information was compromised.

However, Microsoft has just sent out a new followup email with users of the Microsoft Store India website stating otherwise:

In a previous email on Feb. 12, 2012, we notified you there may have been unauthorized access to some of your customer account information on the Microsoft Store India site (http://www.microsoftstore.co.in) operated by a third party. We suggested you reset your password, among other security precautions, and to contact us with further questions.

Further detailed investigation and review of data provided by the website operator revealed that financial information may have been exposed for some Microsoft Store India customers. So, as an additional precaution, if you used a credit card on the Microsoft Store India website, we recommend the following actions:

Contact your credit card provider and alert them to potential unauthorized access to your account information.
Closely monitor and review your credit card account for abnormal activity, and if seen, immediately contact your credit card provider.
Microsoft is committed to protecting customer privacy and takes this situation very seriously. We understand that you may have additional questions, so we have set up a team of specialists to address any of your concerns. Please call them between 9 a.m. and 9 p.m. at 1-800-102-1100.

Thank you,
Chakrapani Gollapali
General Manager, Microsoft India

Scary. Medianama is guessing that that perhaps Microsoft has learned that the hackers somehow breached the payment gateway itself, or that the site was also storing credit card payment credentials in plain text as well.

This is unfortunately a PR nightmare for Microsoft; having to retract a statement assuring customers that their financial data is safe reflects, well, horribly on them. But it’s worth noting that, while Microsoft is partly to blame here, we really need to aim the pitchforks and the riots at Quasar Media, the company that owned, operated, and managed the storefront. If you’re a client of theirs — low or high profile (which Quasar sadly has plenty of) — I strongly urge you to reconsider, lest you have a similar breach. No company that’s incompetent enough to store passwords in plain text deserves any business whatsoever, and we can only hope that Quasar suffers as a result.

Update: Microsoft Store India hacked

Microsoft’s online storefront in India has been hacked and subsequently defaced by a Chinese hacking group that goes by the alias of EvilShadow. As of 12PM EST, visiting the website will display the message as screenshotted above. Links to the hackers’ blog have also been included, in which a post claiming responsibility for the attack can be found. With a little assistance of Google Translate, here’s what the post said:

Do not explain, line and over ~ 

Shut down the organization’s internal group (119,883,641) added directly to the channel, and security enthusiasts who are interested can send the original articles, animations, tools to the mailbox <snipped> audit the ok, was open to join.

On the “black page” — subtly labeled Evil.html — the infamous Anonymous mask can be found. Below the image is the text, “Evil Shadow Team..Unsafe system will be baptized …” along with another link to their blog.

The motives behind this hack are currently unclear, but it’s likely that it was performed as a playful challenge, and not for social or political reasons.

UPDATE: This attack is far more severe than initially imagined. As reported by HackTeach (oddly enough, it seems that images may not show in Google Chrome), the hackers managed to gain access to the database, where Microsoft carelessly stored password data in plain text.

If you had an account on microsoftstore.co.in, we urge you to change your password (or passwords, if you used the same password here on other services), as it has been compromised.

UPDATE 2: As noted by The Verge, the site is now back in the hands of  Quasar Media Pvt. Ltd. (which, as the Microsoft Store India ToS points out, is the company that Microsoft outsourced the operations of this store to.) As of 2AM EST, they are working to bring the site back up. Let’s hope that they are adding proper password hashing/SALTing this time.