Just about 48 hours ago, news went viral about the latest assault on Microsoft’s India store website.
As the ‘EvilShadow Team’ probably flex their legs and people, blogs, news guys boo-haa MS for being so naive on storing passwords in plain text, I was thinking ‘wait-a-sec, MS has been through plain text mistake earlier too.. where they really so careless?’
I try to visit microsoftstore.co.in and get greeted by a message like this:
Notice how it says ‘Microsoft is working on it’ rather than saying ‘We are..’
And bingo, that reminds me that the store and website is not operated by Microsoft but ‘Quasar Media’!
How do I know?
I remember applying ‘social engineering’ on their customer support while reasoning why prices of Xbox accessories were different on ‘http://www.xbox.com/en-IN’ vs ‘microsoftstore.co.in’ .. I got more insider details too but it isn’t relevant in this post.
Clearly, it was an outsourced operation and ‘Quasar Media’ has been loose about their security. I’m sure the top brass is getting a scream from MS.
What should you be doing?
If you do have a microsoftstore.co.in login (or should I say ‘if you did’ – past-tense), and if it is important to you (not the id, but the other creamy information you’ve given along with signup), then please go now and change your password ( obviously, when the site is up ).
I do not remember having a store id, although first thing I did when I heard this news was to change my XBL password, just in case it was an SSO.
Anyone remembers if store login was an SSO? If it was, you better get on with changing any of your MS/related service passwords…. live.com, msn, XBL, azure? to name a few.
I did too, but /me thinks it was not an SSO. If it was, then it would be a more serious shit and Microsoft would have been calling up their media friends by now.
And finally, word of advice: Do not allow browser to save password of any site that you’ll use your creditcard/banking information.. includes netbanking login, movie ticket sites, online stores such as microsoftstore.co.in :), XBL. p’uh’lease do not use same passwords for your email id and other websites.
I’m sure most of these guys have: (thanks to engadget.com for this image)