Malicious hackers attacked Microsoft’s India online retail store on Sunday evening, publishing obscured screenshots that appeared to contain personal user information.
A Chinese hacker group known as “Evil Shadow Team” took responsibility for the breach, posting a message on Microsoft’s website stating that the “unsafe system will be baptized.” In what seemed to be a warning against Microsoft’s unencrypted user information, the group posted screenshots of what appeared to be partially obscured user information, including login IDs and passwords.
The group apparently found that information in plain-text, as opposed to encrypted files.
The hackers refrained from publishing any screen shots that fully gave away user information, but Microsoft and Quasar Media, the Indian company that runs the retail site, advised users that they should change their log-on immediately.
An Evil Shadow Team member using the handle “7z1” posted the shots on a blog that the team runs. In the post, 7z1 referred to himself in Mandarin as a “patriotic hacker.”
As of Tuesday morning in the U.S., the breached site was still down. Microsoft did not respond to our requests for comment.
Microsoft Not the First
Microsoft joins a growing group of large companies that have been forced to deal with recent security breaches from relatively small, under-the-radar groups of hackers.
“When the CIA and FBI networks are compromised at will, it should surprise no one that a company like Microsoft could have an isolated part of its sprawling network compromised,” Larry Walsh, president of the 2112 Group, told TechNewsWorld..
Powerful networks and international government agencies are seeing a rise in cyberattacks in response to unpopular decisions, such as the U.S. government’s recent crackdown on sites such as Megaupload and illegal file-sharing. Networks have been compromised by groups such as Anonymous, which state they’re using hacktivism to spread a political or social message.
In addition to attacks in protest or the promotion of causes, though, retail and e-commerce sites have been taking more hits lately as well.
The hacking group LulzSec got into Sony’s systems last summer, obtaining users’ personal information such as e-mail addresses, birthdates and passwords. The incident wreaked havoc with Sony’s online services for weeks while it scrambled to plug the holes.
“While some hacking methods are questionable and in fact illegal, they do reveal the insecurity of our digital world,” said Walsh.
Prevention Is Key
Taking the necessary precautions to avoid that insecurity is an absolute necessity in today’s climate, according to Mike Lloyd, CTO of RedSeal Networks.
“To prevent this, likely targets need to use automation to understand weaknesses; today, it’s all too easy for those who feel like it is to use their own automation tools to deface, degrade or even destroy online infrastructure,” said Lloyd.
Although Microsoft’s U.S. security policies might have included encrypting data, a site run by a company on an entirely different continent might not adhere to the same policy.
The growing threat of cyberattacks and increasingly vulnerable commerce sites need to serve as a warning to consumers about thinking twice before sending highly personal data online.
“The important thing to remember in all of this is there’s no such thing as 100 percent secure. Every site is vulnerable, just as your home is vulnerable to burglary. You can lock your windows and doors; you can even have an alarm system. But if someone wants into your house and they are determined, they will find a way in. It’s the same with every website and online application,” said Walsh.