Microsoft's India Store has been compromised, passwords saved as plain text

Microsoft has online stores for each localized region and the store in India has been compromised. As of 12:30 PM EST http://www.microsoftstore.co.in/ was still offline. WPsauce.com was able to grab a couple screenshots before the site went down that revealed that EvilShadow team was responsible for the breach, although the hackers are not design experts as blue text on black backgrounds makes getting your message across a bit harder on the eyes. 

Image Credit: Hackteach

The real damage from this breach of security is that the database of the site has been compromised and to make things even worse, the passwords were saved as plain text. If you have ever created an account on Microsoft's store for India, it is imperative that you change your password immediately on all other websites that use similar phrases or logins. 

A breach of security such as this is bad enough publicity for Microsoft but the fact that they did not adhere to industry best practices for securing sensitive data is rather alarming considering how often consumers use the same or similar passwords on multiple websites. 

If/When Microsoft offers an update to the situation we will update this post. 

Update: As noted below, this website is run by Quasar Media and not Microsoft.

Report a problem with article
Previous Story

Guide to smartphone hardware (1/7): Processors

Next Story

Windows 8 Simplified Chinese Edition setup screenshots leak

34 Comments

Commenting is disabled on this article.

Ugh, pretty evil to post a screenshot like that with fore- and surnames. The passwords may be used by these on other services too, and could be correlated. And no, it's of course not an excuse that you may also find this information on a warez site, or that people are stupid when reusing passwords.

An as poor excuse as giving a direct link to a leaked version of Windows 8 and saying you could easily find that link on a warez board anyway.

It baffles me why you didn't instead censor the entire password column. I mean... We know you can find the passwords. We don't need screenshot evidence here.

Just look at Google cache of this store and read Terms of Use part :

http://webcache.googleusercont...hl=en&ct=clnk&gl=us

"
http://www.microsoftstore.co.in is a website operated by Quasar, Company registered under the Companies Act, 1956 and having its registered office at Vishal House, 136A, 2nd Floor, Zamrudpur, Opp. LSR College, New Delhi - 110 048. We have been appointed by Microsoft to own, maintain and operate the online store.

10. PERSONAL DATA Personal details provided to Quasar through this website will only be used in accordance with our Privacy Policy. By using the Microsoft Store and/or our Service, you consent to such processing of your personal data and you warrant that all data provided by you is accurate. Please read our policy carefully. Back to top

11. OUR LIABILITY We will not be responsible for any foreseeable or unforeseeable commercial or business losses (including without limit loss of goodwill, profits, contracts, anticipated savings, data, or wasted expenditure) or any other indirect or consequential loss that was not reasonably foreseeable to both you and us at the time our contract was formed, or at the time you began using the Microsoft Store."

Quasar hosts this store and all it's data. No LiveID used so it is not managed by Microsoft directly. Quasar ****ed up and Microsoft security is not breached.

mantragora said,
Just look at Google cache of this store and read Terms of Use part :

http://webcache.googleusercont...hl=en&ct=clnk&gl=us

"
http://www.microsoftstore.co.in is a website operated by Quasar, Company registered under the Companies Act, 1956 and having its registered office at Vishal House, 136A, 2nd Floor, Zamrudpur, Opp. LSR College, New Delhi - 110 048. We have been appointed by Microsoft to own, maintain and operate the online store.

10. PERSONAL DATA Personal details provided to Quasar through this website will only be used in accordance with our Privacy Policy. By using the Microsoft Store and/or our Service, you consent to such processing of your personal data and you warrant that all data provided by you is accurate. Please read our policy carefully. Back to top

11. OUR LIABILITY We will not be responsible for any foreseeable or unforeseeable commercial or business losses (including without limit loss of goodwill, profits, contracts, anticipated savings, data, or wasted expenditure) or any other indirect or consequential loss that was not reasonably foreseeable to both you and us at the time our contract was formed, or at the time you began using the Microsoft Store."

Quasar hosts this store and all it's data. No LiveID used so it is not managed by Microsoft directly. Quasar ****ed up and Microsoft security is not breached.

It is Microsoft's site with Microsoft's name so it doesn't matter who builds or maintains the site. Microsoft's security have been breached.

Makes you wonder what other Microsoft businesses do this. Pretty shoddy if they didn't have rules in place. Their lack of two step authentication for Xbox Live is something that needs to be looked at.

might I ask why all the international MS store websites aren't based off the same code, just with different languages/content? I'm assuming that, maybe, the India store has a separate sign in/up process than the US version, which uses Live to sign in? Could this have been a 0day (just looking at their provided email address)? But still, plaintext passwords....

Matthew_Thepc said,
might I ask why all the international MS store websites aren't based off the same code, just with different languages/content? I'm assuming that, maybe, the India store has a separate sign in/up process than the US version, which uses Live to sign in? Could this have been a 0day (just looking at their provided email address)? But still, plaintext passwords....

Could be licensing restrictions etc. I remember hearing that india didn't like encryption a while back.

n_K said,

I remember hearing that india didn't like encryption a while back.

could you elaborate on this? I've not heard it, but it sounds interesting.

M_Lyons10 said,

Yes it does.

I think he means that fight between RIM (BlackBerry) and Indian government. The gov wanted encryption keys for RIM's BlackBerry Enterprise Server (BES).

The Stark said,

I think he means that fight between RIM (BlackBerry) and Indian government. The gov wanted encryption keys for RIM's BlackBerry Enterprise Server (BES).


ah, that would make sense

I'm surprised they don't do all the website designs, development and security back at HQ to make sure it meets standards. Then use Akamai to serve the websites for other countries. As all their site logins should use Window Live login and require no storage of passwords locally. Hopefully those responsible for building the site are fired and in the future security checks and compliance or put in place before anything is pushed out the door. No excuse for a billion dollar company to have simple slip ups like this happening.

Agreed, I would bet a lot of money that Microsoft has an policy for securing customer data that this site did not abide too...but then again, why was it not caught in an audit etc.

ITOps said,
I'm surprised they don't do all the website designs, development and security back at HQ to make sure it meets standards. Then use Akamai to serve the websites for other countries. As all their site logins should use Window Live login and require no storage of passwords locally. Hopefully those responsible for building the site are fired and in the future security checks and compliance or put in place before anything is pushed out the door. No excuse for a billion dollar company to have simple slip ups like this happening.
Agreed. This is ridiculous. I wonder if this was another site developed by a third party... That seems to always get them in trouble. Maybe Microsoft should stop that practice altogether... There's just no excuse for this.

M_Lyons10 said,
Agreed. This is ridiculous. I wonder if this was another site developed by a third party... That seems to always get them in trouble. Maybe Microsoft should stop that practice altogether... There's just no excuse for this.

Site is managed by the branding company Quasar Media.

liju said,

Site is managed by the branding company Quasar Media.

I figured it would be something like that... Hopefully Microsoft starts doing more of this internally...

Should you really be posting a screenshot with a list of passwords in?

I know the email addresses are slightly obscured, but for example row 130 is easy to guess what the email address is, and the password is there visibly for everyone to see...

-Alex- said,
Should you really be posting a screenshot with a list of passwords in?

I know the email addresses are slightly obscured, but for example row 130 is easy to guess what the email address is, and the password is there visibly for everyone to see...

I think 119 is easier to guess.

Edit: re-looking most of them appear to strongly relate to the name column.

If someone really wants to find out the entire email and passwords, they can locate the file imaged above very easily.

-Alex- said,
Should you really be posting a screenshot with a list of passwords in?

I know the email addresses are slightly obscured, but for example row 130 is easy to guess what the email address is, and the password is there visibly for everyone to see...


true... its obvious those can be guessed...

-Alex- said,
Should you really be posting a screenshot with a list of passwords in?

I know the email addresses are slightly obscured, but for example row 130 is easy to guess what the email address is, and the password is there visibly for everyone to see...

That needs to be redacted....

bdsams said,
If someone really wants to find out the entire email and passwords, they can locate the file imaged above very easily.

Then how about Neowin at least makes them look for it then? This seems to go against what is acceptable in even the most morally questionable blogs. Neowin should be better than this.

bdsams said,
If someone really wants to find out the entire email and passwords, they can locate the file imaged above very easily.

That's some awful logic...just because it's easy to find doesn't mean you should make it even easier.

I bet a lot of these sites that got shut down for piracy tried to run the defence that this material is easy to find...but it's a bad defence.

bdsams said,
If someone really wants to find out the entire email and passwords, they can locate the file imaged above very easily.

wow really??? So u dont care about protecting people's identity? all u care is ur news?

-Alex- said,
Should you really be posting a screenshot with a list of passwords in?

I know the email addresses are slightly obscured, but for example row 130 is easy to guess what the email address is, and the password is there visibly for everyone to see...

Note: This website is not run by Microsoft, but by Quasar Media