Microsoft India Store Finally Back Online!

  • Thread starter Thread starter Sushubh
  • Start date Start date
  • Replies Replies 18
  • Views Views 2,798
Sushubh

Sushubh

Admin
Staff member
Messages
406,792
Location
Gurgaon
ISP
Excitel
Airtel
A few of you would remember discussing this store in some older threads.

Quasar Media managed this store. And they were storing user details in text format.

And they have still not managed to get it back online.

Microsoft Store



Microsoft India Store gets hacked, passwords and usernames exposed (updated) | VentureBeat

While we can easily confirm that the site is offline, it’s more difficult to prove if the store’s username database has been hacked. Screenshots potentially showing information from the database have been released by the Chinese site HackTeach, but Microsoft has yet to confirm that the data has been compromised. HackTeach is also reporting that the passwords were unsecured and saved in plain text, which if true, would be a shocking security blunder on Microsoft’s part.
 
Too bad. they were pitching Xbox 360, Lumia 800 and some microsoft web cam very very seriously for few days only to see their site going down.
 
there is a very good possibility that letsbuy is also storing their passwords in plain text. a friend told me that they mail you the user id and password (in text) just after you create an account. this is a very good indication that the passwords are probably stored in plain text.
 
A lot of sites store passwords in plain text format. A simple check would be to use the forget password link, you will be shocked to see that sites like insurance etc. also store passwords in unencrypted format.
 

there is a very good possibility that letsbuy is also storing their passwords in plain text.

a friend told me that they mail you the user id and password (in text) just after you create an account.

this is a very good indication that the passwords are probably stored in plain text.


Yes buddy, I just now checked my mail archive and found that Welcome Mail received from Letsbuy have my password in text.
 
just tried the password recovery option on letsbuy and they mailed me a 'new password' in plain text. a new randomly generated password!



two problems with this bullcrap.

1. they are likely using raw text passwords because of what we have already discussed.
2. ANYONE can reset your password ANYTIME by using your email address in their password recovery form.

flipkart is doing it better. they send you a link. which you have to click to land on a page where you can enter your own password. they are not generating a new password and mailing it to you in plain text.
 
If a site is sending you your own password, then its storing the passwords as text for sureBut entering email id and receiving a randomly generated password is not much of an issue, since your mail account is still under your control
 
@chromaniac,
That is not necessarily proof that they are storing the plaintext password. They could've just used the plaintext password for the account creation email and then discarded it.

----------

BTW, did the hackers release the stolen username/password list? I might've created an account there a long time ago 🙁
 
Hackers, allegedly belonging to a Chinese group called Evil Shadow Team, struck at Microsoft Store Online India on Sunday night, stealing login ids and passwords of people who had used the website for shopping Microsoft products.

While it is troublesome that hackers were able to breach security at a website owned by one of the biggest IT companies in the world, it is more alarming that user details - login ids and passwords - were reportedly stored in plain text file, without any encryption.

Following the hack, the members of Evil Shadow Team, posted a message on the Microsoft website saying "unsafe system will be baptized". The story was first reported by Windows Phone Sauce.

Later, the website seemed to have been taken offline by Microsoft. We advise the users at Microsoft India Store to change the password as soon the website comes online. Also, if they have used the same password or login id on any other web service, they should change it immediately.

Last year, hacker groups like Lulzsec had carried out several-profile high profile break-ins, putting focus on the security measures companies put in place. Sony allegedly suffered several security breaches and hackers stole user ids and passwords of customers from its network.

In a message posted on a website called Pastebin, Lulzsec claimed the group was bringing attention to the web security. "Do you think every hacker announces everything they've hacked? We certainly haven't, and we're damn sure others are playing the silent game. Do you feel safe with your Facebook accounts, your Google Mail accounts, your Skype accounts? What makes you think a hacker isn't silently sitting inside all of these right now," the group wrote.

But the incident at Microsoft Store on Sunday hints that lessons have not been learnt. Just like Sony, which later revealed that user ids and passwords were not encrypted at the time of security breach, Microsoft too seemed to have been casual about handling the user details by storing them in a plain text file.

Commenting on the security breach, a Microsoft spokesperson said, "Microsoft is investigating a limited compromise of the company's online store in India. The store customers have already been sent guidance on the issue and suggested immediate actions. We are diligently working to remedy the issue and keep our customers protected."

Source:: http://articles.timesofindia.indiatimes.com/2012-02-13/security/31054691_1_passwords-security-breach-hackers

----------

Here is the current status::
 
In this case, the online Microsoft Store in India is managed by a third-party service provider rather than Microsoft itself. Microsoft itself is less culpable, but it should require more from the vendors it works with, and its agreement should explicitly spell out a minimum level of acceptable protection for customer data.

Source
 
just tried the password recovery option on letsbuy and they mailed me a 'new password' in plain text. a new randomly generated password!



two problems with this bullcrap.

1. they are likely using raw text passwords because of what we have already discussed.
2. ANYONE can reset your password ANYTIME by using your email address in their password recovery form.

flipkart is doing it better. they send you a link. which you have to click to land on a page where you can enter your own password. they are not generating a new password and mailing it to you in plain text.
Heh Letsbuy site is a joke. I was about to say that they don't even have a "My profile/account" sort of a thing with your address n stuff. Just logged in to check and it seems they have that now.
 

Similar threads

5zan
How I got Bridge mode enabled in Hathway + Poor service of Airtel Broadband
Replies
13
Views
6,290
newsera
Sushubh
Gaadi.com Data Breach
Replies
0
Views
2,074
Sushubh
Sushubh
Flipboard Data Breach
Replies
0
Views
659
Sushubh
Sushubh
Okta
Replies
3
Views
1,060
Navjot Singh
Top