The Microsoft Store India was hacked by Evil Shadow, a team of Chinese hackers who left a "black page" (http://www.microsoftstore.co.in/evil.html) tagged with, "Unsafe system will be baptized." But the hack goes well beyond a defacement into embarrassment. Not only was the customer database breached, and usernames and passwords stolen, but there was no protection, no encryption since the site stored passwords as plain text.
After hacking the Indian website for buying Microsoft products late Sunday night, the hackers obscured the full usernames and passwords but posted screenshots on a blog (ps.s.blog.163.com) belonging to 7z1, a member of the Evil Shadow team. According to 7z1, a Chinese 'patriotic hacker', the Microsoft Store in India was marked with a Chinese flag because the hacking group is from China. The home page was defaced to make the "more powerful Microsoft aware of this issue." While modifying the home page, the Evil Shadow Team "encountered some resistance" before overcoming it. 7z1 wrote:
The data is very important. Any security enthusiasts are interested in the data. We have made some of the data from the Microsoft India Mall, this behavior is designed to showcase Even Microsoft-owned stores will also use clear text passwords. Data no more value in China.
HackTeach explained the hack of Microsoft India Mall and access to the server permissions marked the "establishment" of the group Evil Shadow. "The organization is scattered in the civil security enthusiasts with a certain strength, mainly for foreign penetration." HackTeach also included a screenshot of the unencrypted database.
A Microsoft statement called the breach a "limited compromise" of the company's online store in India. "The store customers have already been sent guidance on the issue and suggested immediate actions."
Again from HackTeach, the screenshot below shows Microsoft's privacy statement file at the top. That is one of Microsoft's favorite quotes sent to me, how Microsoft takes its consumers' privacy very seriously, and privacy is very important to Microsoft. Just the same, consumer names, email addresses and passwords were not handled so securely or privately in the Indian Microsoft store since they were all stored in plain text. An explanation? The Microsoft site is allegedly managed by a third party service provider and is still down with the message, "The Microsoft Store India is currently unavailable. Microsoft is working to restore access as quickly as possible."
According to Reuters, "The Indian edition of the Microsoft Store is operated by Indian company Quasar Media. A spokesman said the company was investigating. 'I am not sure when the site will be up again or what happened,' spokesman Rahul Roy said.
Like this? Here's more posts:
- Backdoor in TRENDnet IP Cameras Provide Real-Time Peeping Tom Paradise?
- 25 More Ridiculous FBI Lists: You Might Be A Terrorist If . . .
- Firesheep moment for SCADA: Hacking critical infrastructure systems now as easy as pushing a button?
- Irony: Surveillance Industry Objects to Spying Secrets & Mass Monitoring Leaks
- Privacy Advocates Sue DHS for Big Bro Fake 'Friends' Monitoring Social Media
- Huge 4th Amendment Win for Privacy: Supreme Court Requires Warrant for GPS Tracking
- Gov't: You have no right to anonymous speech on Twitter
- DARPA's Spy Telescope Will Stream Real-Time Video from Any Spot on Earth
- Busted! DOJ says you might be a felon if you clicked a link or opened email
- Security Researchers: 'Did Google Pull a Fast One on Firefox and Safari Users?'
- Social Media Monitoring on Gov't Steroids: Anything might come back to bite you
- Woz on smartphones: Wishes his iPhone could do all his Android can
- Data Privacy Day: Social media 'private' data is fair game for e-discovery in court
- Do you give up a reasonable expectation of privacy by carrying a cell phone?
Follow me on Twitter @PrivacyFanatic