Microsoft online customer accounts hacked in India
A group calling itself Evil Shadow Team reportedly stole usernames and passwords of Microsoft Store customers.
Microsoft's online store in India was hacked on Sunday, resulting in the theft of usernames and passwords of the site's customers.
A Chinese group of hackers calling itself Evil Shadow Team took credit for the hack, posting screenshots of obscured usernames and passwords that it found unencrypted on the site, according to Reuters. The group touted the attack on its own blog (here's an English translation). posting a screenshot of the hacked Web site with the message: "Unsafe system will be baptized."
Microsoft has since taken down the hacked site and replaced it with a message telling users that "The Microsoft Store India is currently unavailable. Microsoft is working to restore access as quickly as possible."
Microsoft confirmed the news in the following statement sent to CNET:
Microsoft is investigating the limited compromise of the company's online store in India. Customers have been notified and provided with guidance to reset their passwords. We are diligently working to remedy the incident and keep our customers protected.Related stories:
Since the passwords were stored in clear text and not encrypted, customers who've purchased items through the site are at risk.
A report in the Times of India is advising users to change their passwords as soon as the site comes back online. And if they've used the same credentials at other sites, they're urged to change those as well.
No details were revealed as to why the group targeted Microsoft's Indian site or how they hacked their way in. But unencrypted passwords are highly valued by hackers, who can frequently use them to break into other--sometimes more vital--accounts if users have reused their passwords (as they all-too frequently do). It also shows a surprising lack of security for a company like Microsoft.
But a comment in a story by AFP says that "Indian IT specialists have long lamented what they say is a lack of awareness about Internet security across the country."
Updated 10:30 a.m. PT with response from Microsoft.