Towards midnight in India, news of Microsoft India's web store being hacked surfaced. As the story unfolded, enthusiasts reported that Microsoft India stored usernames and password in plain text (this is something web devs are taught not to do in their web development 101 class). Rahul Mathur at WPSauce explained the hack citing a post by someone called 7z1. The webiste (microsoft.co.in) was hacked by EvilShadow—a two member team from China. According to Mathur, the duo was able to upload a page on the website while the rest of the website could be browsed by directly going to the product listings. However, things got bad when HackTeach posted screenshots of the user database. Here are the screenshots of the attack:
Early last year, Groupon India was hacked and the user database was dumped on the Internet. I searched on Twitter about the hack and I came across updates that said hackers from Bangladesh had attacked some government websites as a protest to action taken by India's Border Safety Force; as it turns out, some websites were. The biggest one being the Security and Exchange Board of India's website (sebi.gov.in); others include, Maharashtra Highway Police (yeah, seriously!), All India Radio's Allahbad website (I still wonder why!). As I searched more, I came across a list of more than 100 websites that were allegedly hacked by hackers from Bangladesh, I tried accessing some of the websites listed and they worked fine. Screenshots:
As of writing this post, both SEBI and Microsoft India's store website are down.
PS: SEBI's website is #341 on the PasteBin list.
Update: Martijn2 points out that Microsoft India's webstore was developed and managed by Quasar Media. Screenshot via a Google Cache copy dated Feb 9, 2012:
Update 2: Microsoft India has sent out an email to customers confirming the attack and suggesting some precautions.
Microsoft Store Customer Update
We are writing to inform you that there may have been unauthorized access to some of your customer account information on Microsoft Store India (http://www.microsoftstore.co.in/). We have confirmed that databases storing credit card details and payment information were not affected during this compromise. However, exposed account details may include non-financial related information including e-mail address, password, order details and shipping address.
Microsoft Store takes this situation very seriously, and the company is diligently working to remedy the issue and keep our customers protected. We need your help in this regard and we ask that you please take the following steps to prohibit any further unauthorized access to your information.
Precautions You Should Take
In order to secure your account information, Microsoft Store will take the action to re-set your password. Please follow these steps to ensure your privacy is protected:
1. If you use the same e-mail and password combination on any other sites, including non-Microsoft websites or services, you should proactively change the password immediately to ensure your personal information is protected.
2. You will receive an e-mail with a temporary password and a prompt to create a new password. Please note, the password reset relates only to Microsoft Store India.
3. Once you receive the e-mail you should immediately create a new password, one that is both secure and familiar to you.
Microsoft Store is Here to Help
We understand that you may have additional questions and Microsoft Store is here to help. If you have specific questions about your Microsoft Store account or want more information about computing and personal security please contact us at 1800-102-1100.
We apologize for any inconvenience this incident might cause.
Thank you, Microsoft Store India