Microsoft Stores are Microsoft’s online retail outlets. On Sunday, Microsoft Store India was hacked apparently by the group calling itself the Evil Shadow Team. The landing page briefly showed an image of a character wearing a Guy Fawkes mask, the image widely adopted by the Anonymous hacking fraternity. The most disturbing part of the hack is the revelation that user passwords were stored in plain text, and stolen.
Microsoft Stores are not generally owned or run by Microsoft, but are operated under license. Microsoft Store India is owned and operated by Quasar Media, ‘appointed by Microsoft’. At the time of writing, access to the site is limited to the ‘unavailable’ notice. However, the Microsoft Store UK site may indicate what would normally be found. Microsoft Store UK’s “services are provided by arvato distribution GmbH, an independent reseller of Microsoft.”
Prominent on the UK home page is the TRUSTe logo and a link to the official Microsoft Privacy Statement. This means that the UK site is bound by Microsoft’s own privacy commitment, which states: “Microsoft is committed to protecting the security of your personal information. We use a variety of security technologies and procedures to help protect your personal information from unauthorized access, use, or disclosure. For example, we store the personal information we collect on computer systems with limited access, which are located in controlled facilities.”
Because the Microsoft Store India site is currently unavailable, we cannot confirm whether a similar link existed on that site; but we can assume that it either did, or should have. With huge irony, and not a little embarrassment for Microsoft, the software giant’s privacy statement goes on to add, “If a password is used to help protect your accounts and personal information, it is your responsibility to keep your password confidential.” Microsoft Store India evidently did not do this.
Microsoft itself has yet to comment in detail. It has just briefly announced, “Microsoft is investigating a limited compromise of the company’s online store in India. Customers have been notified and provided with guidance to reset their passwords. We are diligently working to remedy the incident and keep our customers protected.”