Microsoft India's web store and SEBI's website attacked

Microsoft India's web store and SEBI's website attacked

Summary: The Security and Exchange Board of India and some other government sites have been defaced by hackers from Bangladesh, while Microsoft India's web store has been attacked by hackers from China.

SHARE:
TOPICS: Microsoft, Browser
16

Towards midnight in India, news of Microsoft India's web store being hacked surfaced. As the story unfolded, enthusiasts reported that Microsoft India stored usernames and password in plain text (this is something web devs are taught not to do in their web development 101 class). Rahul Mathur at WPSauce explained the hack citing a post by someone called 7z1. The webiste (microsoft.co.in) was hacked by EvilShadow—a two member team from China. According to Mathur, the duo was able to upload a page on the website while the rest of the website could be browsed by directly going to the product listings. However, things got bad when HackTeach posted screenshots of the user database. Here are the screenshots of the attack:

Early last year, Groupon India was hacked and the user database was dumped on the Internet. I searched on Twitter about the hack and I came across updates that said hackers from Bangladesh had attacked some government websites as a protest to action taken by India's Border Safety Force; as it turns out, some websites were. The biggest one being the Security and Exchange Board of India's website (sebi.gov.in); others include, Maharashtra Highway Police (yeah, seriously!), All India Radio's Allahbad website (I still wonder why!). As I searched more, I came across a list of more than 100 websites that were allegedly hacked by hackers from Bangladesh, I tried accessing some of the websites listed and they worked fine. Screenshots:

As of writing this post, both SEBI and Microsoft India's store website are down.

PS: SEBI's website is #341 on the PasteBin list.

Update: Martijn2 points out that Microsoft India's webstore was developed and managed by Quasar Media. Screenshot via a Google Cache copy dated  Feb 9, 2012:

Update 2: Microsoft India has sent out an email to customers confirming the attack and suggesting some precautions.

Microsoft Store Customer Update

We are writing to inform you that there may have been unauthorized access to some of your customer account information on Microsoft Store India (http://www.microsoftstore.co.in/). We have confirmed that databases storing credit card details and payment information were not affected during this compromise. However, exposed account details may include non-financial related information including e-mail address, password, order details and shipping address.

Microsoft Store takes this situation very seriously, and the company is diligently working to remedy the issue and keep our customers protected. We need your help in this regard and we ask that you please take the following steps to prohibit any further unauthorized access to your information.

Precautions You Should Take

In order to secure your account information, Microsoft Store will take the action to re-set your password. Please follow these steps to ensure your privacy is protected:

1. If you use the same e-mail and password combination on any other sites, including non-Microsoft websites or services, you should proactively change the password immediately to ensure your personal information is protected.

2. You will receive an e-mail with a temporary password and a prompt to create a new password. Please note, the password reset relates only to Microsoft Store India.

3. Once you receive the e-mail you should immediately create a new password, one that is both secure and familiar to you.

Microsoft Store is Here to Help

We understand that you may have additional questions and Microsoft Store is here to help. If you have specific questions about your Microsoft Store account or want more information about computing and personal security please contact us at 1800-102-1100.

We apologize for any inconvenience this incident might cause.

Thank you, Microsoft Store India

Topics: Microsoft, Browser

Manan Kakkar

About Manan Kakkar

Telecommunication engineer with a keen interest in end-user technology and a News junkie, I share my thoughts while preparing for my Master's in Information Management.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

16 comments
Log in or register to join the discussion
  • RE: Microsoft India's web store and SEBI's website attacked

    Why is every Tech website lazy to report that this "Microsoft store" is run and managed by Quasar Media, not by Microsoft.
    Martijn2
    • RE: Microsoft India's web store and SEBI's website attacked

      @Martijn2 Appreciate the heads up. Updating the post.
      Manan Kakkar
      • RE: Microsoft India's web store and SEBI's website attacked

        @Manan Kakkar
        You can use this as a reference: http://quasar.co.in/clients.asp (or look at the www.microsoftstore.co.in/Terms_Conditions.aspx page on Google/Bing cache)
        Martijn2
  • RE: Microsoft India's web store and SEBI's website attacked

    Does it really matter who developed or operate that site? It is running under the label of Microsoft Store and people do business with the the online store because it is Microsoft Store.<br><br>If the passwords were saved in plain text, it is going to be shame on Microsoft.<br>Here is another report on the security flaw in using Skydrive to send attachments from Hotmail:<br><a href="http://www.mywindowsclub.com/resources/5662-Serious-security-concerns-using-SkyDrive.aspx" target="_blank" rel="nofollow">http://www.mywindowsclub.com/resources/5662-Serious-security-concerns-using-SkyDrive.aspx</a><br><br>If you read the article in this link, you will see that anyone who see the URL of the Skydrive attachments in hotmail can download the attachments. No need to sign in or go through any authentication. Anyone who access their email in a public computer are leaving the URL of the attachments in the browsing history and others can download the attachments by following the links in the browsing history. <br><br>Is it not a big deal? Doesn't the security of user data and files need a little bit more protection?
    SkyDrive
    • RE: Microsoft India's web store and SEBI's website attacked

      @SkyDrive

      what???

      seriously you say its a "skydrive security concern"?
      its because YOU and other people just dont know how it works. and again, seriously, if you are in a public computer, would you blame skydrive because YOU didn't delete your history and temp files?? thats plain silly.

      and again, its because people like you don't know how skydrive works.

      if you go to share in skydrive you can get 3 kind of links, from public, to view only and view and edit.
      ANYONE with these links can view/edit files, if YOU don't protect the link and leave it to anyone access its not skydrive problem. and thats what emailing skydrive attachments do, it sends a link. and it says "Link that was sent via email"

      when you share by email. it will have 2 checkboxes, and then it will add the people you are emailing to, to the sharing list. and you can check "Recipients can edit" and "Recipients must sign in to view".

      of course when you are emailing alot of attachments and uploading them to skydrive, it will not ask you for those things. does it wrong? no. and people have to understand how it works, and if you are in a public computer you HAVE to delete your history and internet temp files.

      its not a security concern its about to know how it works. (again) and if you dont even know how to delete your history... its YOU who doesn't protect your info.
      Emi Cyberschreiber
      • RE: Microsoft India's web store and SEBI's website attacked

        @Emi Cyberschreiber

        It is not a "skydrive security concern", but it is a "skydrive-hotmail integration security concern".

        You are talking about the scenario where people login to skydrive first, upload files and then use the share option to send files. Agreed, it works just fine.

        The scenario discussed here is, you login to Hotmail, send an email with attachments where the Skydrive is used to share instead of traditional attachments. In this case, there is no option to set security settings and files are shared publicly where anyone with the link can access it. To make it worse, the sender is given no clue that the file will be shared publicly. When you are sending attachments from Hotmail, you are given just 2 options - send as attachment or save to Skydrive.
        SkyDrive
    • RE: Microsoft India's web store and SEBI's website attacked

      @SkyDrive
      If I sent an email the traditional way, anyone with access to that email is able to see the attachements.
      If I sent an email the 'new' way, anyone with access to that email will be able to see the link and thereby able to access the attachments.

      What is the difference?
      That the new way adds an additional step? No big deal.
      That the new way is less secure? BS!
      D-J
    • RE: Microsoft India's web store and SEBI's website attacked

      @SkyDrive
      If I sent an email the traditional way, anyone with access to that email is able to see the attachements.
      If I sent an email the 'new' way, anyone with access to that email will be able to see the link and thereby able to access the attachments.

      What is the difference?
      That the new way adds an additional step? No big deal.
      That the new way is less secure? BS!
      D-J
    • RE: Microsoft India's web store and SEBI's website attacked

      @SkyDrive
      If I sent an email the traditional way, anyone with access to that email is able to see the attachements.
      If I sent an email the 'new' way, anyone with access to that email will be able to see the link and thereby able to access the attachments.

      What is the difference?
      That the new way adds an additional step? No big deal.
      That the new way is less secure? BS!
      D-J
  • RE: Microsoft India's web store and SEBI's website attacked

    I see the SEBI website upand running. Where did you get the information that it is down? Here it is - http://www.sebi.gov.in
    (The SEBI site does not work without the www., but I don't think it has anything to do with hacking)
    SkyDrive
    • RE: Microsoft India's web store and SEBI's website attacked

      @SkyDrive SEBI's website isn't working with or without the WWW. And if you do read the post, you'll know where I got my info from.
      Manan Kakkar
      • RE: Microsoft India's web store and SEBI's website attacked

        @Manan Kakkar, which country are you checking it from?
        SkyDrive
  • RE: Microsoft India's web store and SEBI's website attacked

    I can very well see and browse the SEBI website (from India). However, it appears to be not accessible from USA, which I confirmed now by checking it through a server located in USA. <br><br>So I do not think the site itself is hacked but it could be a proactive measure they have taken to block access from other countries.
    SkyDrive
    • RE: Microsoft India's web store and SEBI's website attacked

      @SkyDrive lol such measures are taken only when the website is being attacked.
      Manan Kakkar
    • RE: Microsoft India's web store and SEBI's website attacked

      --
      theo_durcan
  • common factor of attacked servers?

    I put a $20: they are all serving .asp pages. Somebody want to bet?
    theo_durcan