I think Microsoft needs to take a ton of heat for this one.
a) They outsource something running on a Microsoft domain, with the Microsoft logo, etc to an external entity, something customers wouldn't know about unless they read the ToU
b) That external entity wasn't held to even the most basic of security precautions - no MSFT online property would even be allowed to store passwords (that's the job for the LiveID guys) let alone do it in cleartext.
This is the sort of move for which people should get fired over.
Let the heads roll.
Microsoft fully deserves the blame here, for not asking basic questions. Besides, the rest of the code is likely to be smelly too if the entire team failed to notice the issue.
You don't even need to look at the code to find out the passwords are stored in plain text. A quick tour through the database during testing would tell you everything you need to know here.
This is nothing more than laziness and ignorance.
The overall framework had a lot of features and examples abounded (http://msdn.microsoft.com/en-us/library/ff648341.aspx). It's very difficult to imagine a company <<skirting around>> the many ASP.net examples in order to store passwords in plaintext. It's astounding to see that Microsoft itself did so... Seems that it says that examples don't actually abound or that the system is so complex that not even Microsoft could understand it.
More likely, Microsoft hired a low-cost contractor to build/manage their Indian site and suffered. Another sign that MS has lost touch.
EDIT: another commenter writes "The store isn't actually run by microsoft, but rather Quasar Media.", so Microsoft outsourced their site...
Some self-promoting guy seems to have sent Endgadget that screenshot.
More likely it's just that someone decided that was how they were going to do it one day and it stuck.
I worked on a system where all tables were prefixed with "tbl_" - even when they were often views and not tables at all....
I don't do this usually but I have run into a couple of occasions where it would have helped out.
I find the much better method is to be strict about table names and aliases:
1: Always specify the table name with field names. Even if there is only one table in the query (if the query changes later to draw in data from another table, you don't have to go back and add the table references if they are already there). As well as avoiding name conflicts which will raise errors, it removes certain silent fails that are possible with correlated sub-queries when you don't explicitly note the intended scope by naming the object a column should be found on.
2: Always specify a short but meaningful alias for every object referenced in the query/view (such as "kpi_fact_definition AS kfd"). It makes the code more readable when every column reference has "<table>." prefixed.
2b: All aliases should be unique within the query/view even if the same object is referenced more than once where the scope of each reference means the names/aliases would not conflict. Also try to avoid using aliases that are visually similar (visually similar aliases can lead to typing errors being able to hide in plain view).
3: Make sure that all tables/views have meaningful names, even if they means them looking overly long. You are going to give them short aliases when you use them anyway.
I can't imagine anyone having this problem after the early 90's...
Or has that been fixed now?
Off you go Quasar Media, you're doomed.
Here's the actual blogpost from the one who claims to be the hacker
Note from the blog page
actually means "No comment, fap fap fap"
Still, clearly the answer is that's a hacker's computer. Just because its an India store doesn't mean the hacker is Indian.