Disclaimer: I used to work for Microsoft<p>I think Microsoft needs to take a ton of heat for this one.<p>a) They outsource something running on a Microsoft domain, with the Microsoft logo, etc to an external entity, something customers wouldn't know about unless they read the ToU<p>b) That external entity wasn't held to even the most basic of security precautions - no MSFT online property would even be allowed to store passwords (that's the job for the LiveID guys) let alone do it in cleartext.<p>This is the sort of move for which people should get fired over.
Whenever you outsource make sure you watch the code very, very carefully. At least 90% of the people I meet (at least here in Bangalore) would store passwords in clear text and not know why this is a bad thing.<p>Microsoft fully deserves the blame here, for not asking basic questions. Besides, the rest of the code is likely to be smelly too if the entire team failed to notice the issue.
So I've worked in an ASP.net environment and I generally hated it, but ...<p>The overall framework had a lot of features and examples abounded (<a href="http://msdn.microsoft.com/en-us/library/ff648341.aspx)[2005]" rel="nofollow">http://msdn.microsoft.com/en-us/library/ff648341.aspx)[2005]</a>. It's very difficult to imagine a company <<skirting around>> the many ASP.net examples in order to store passwords in plaintext. It's astounding to see that Microsoft itself did so... Seems that it says that examples don't actually abound or that the system is so complex that not even Microsoft could understand it.<p>More likely, Microsoft hired a low-cost contractor to build/manage their Indian site and suffered. Another sign that MS has lost touch.<p>EDIT: another commenter writes "The store isn't actually run by microsoft, but rather Quasar Media.", so Microsoft outsourced their site...
The store isn't actually run by microsoft, but rather Quasar Media. It tarnishes Microsoft's name, but it isn't their fault.<p><a href="http://www.theverge.com/2012/2/12/2793459/microsoft-store-india-hacked-username-password-leak" rel="nofollow">http://www.theverge.com/2012/2/12/2793459/microsoft-store-in...</a>
Not suprising, a few years ago, I forgot my password for the Ted Ed South Africa website. I phoned in to reset, and had my password read back to me over the phone.
Incorrect report, there was no image with a Guy Fawkes mask. This is the actual image that had appeared on the site<p><a href="http://i.imgur.com/vcLal.png" rel="nofollow">http://i.imgur.com/vcLal.png</a><p>Some self-promoting guy seems to have sent Endgadget that screenshot.
Guess what, they seem to be managing some of Nokia's and Panasonic's resources as well.<p>Off you go Quasar Media, you're doomed.<p>Here's the actual blogpost from the one who claims to be the hacker<p><a href="http://ps.s.blog.163.com/blog/static/89878892201211132353615/" rel="nofollow">http://ps.s.blog.163.com/blog/static/89878892201211132353615...</a>