Getting hacked is not good. Getting hacked then outed for keeping customer passwords in plain text is an epic not good.
That's the lesson learned by Microsoft and their online store in India, allegedly hacked by the Chinese Evil Shadow Team. Actually owned by an Indian company by the name of Quasar Media, the Microsoft store remains offline at this writing, indicating the legit owners once again have some control.
While the usernames and passwords, in plain text, were no doubt taken, the hacker group's goal may not be theft. Declaring that the "unsafe system will be baptized," the group left the famous Guy Fawkes mask on the site's front page.
jailtime please, so sick of hackersWindshield on theverge.com
Disclaimer: I used to work for Microsoft. I think Microsoft needs to take a ton of heat for this one.sriramk on news.ycombinator.com
Certainly in the UK at least, and Im sure most of the world, Organisations that hold sensitive electronic data have a LEGAL obligation to protect that data.wmp_surur on endgadget.com
If it was an MS store, then it's their fault. The store was branded with the MS brand in order to convey to consumers that the store could be trusted.CoffeeDregs on news.ycombinator.com
I'm not saying what they did was right, but the fact that they stored this information in plain text is just a blatant lack of caring on Microsoft's part.Matt Cotsones on endgadget.com
They were trying to expose unsafe systems much like Anonymous.Danhese007 on theverge.com
Advice for both parties
Hey hackers why not hack into something like Al Qaeda or other terrorist exchange forum and let people know when they plan to blow s**t up and kill people?Arkweld on endgadget.com
Using clear text password is indefensible – but I don’t think this is a branch of Microsoft as they would be using Live ID’sRoboTone on theverge.com
At least 90% of the people I meet (at least here in Bangalore) would store passwords in clear text and not know why this is a bad thing.jeswin on news.ycombinator.com
Doesn't Microsoft oversee contractors? Are contractors not required to follow Microsoft programming practices and security guidelines?