I just bought Office for Mac from microsoft.com. To do so, I created an account. A bit later I realized I'd forgotten my password, so I clicked the necessary links to have it sent to me.
I expected to get either a random temporary password or a one-shot URL I could use to reset my password. Either of these approaches is standard practice. Instead I got an email containing my original password, which means Microsoft is remembering it in clear text.
To see how much more they're remembering I started a new purchase. I saw they had saved my credit card info and billing address. I don't know if the purchase would have gone through if I'd chosen to continue. For all I know they would have prompted me for my password before completing the transaction. Still, that password was exposed to employees of Microsoft and to anyone who hacks into their systems.
I would hope Microsoft does not save full credit card numbers. That would be monumentally stupid. On the other hand it appears Sony might have been that stupid, so who knows what to assume about big companies who should know better.
I deleted the credit card from my Microsoft profile. There is a separate option to delete my address, which I also did. I got to my account settings by following this link: http://buy.officeformac.com/store/msmacus/DisplayHelpPage. Microsoft included this link three times — once misspelled — in the confirmation email for my purchase. If I didn't have that email handy, it's not obvious to me how I would have gotten to my account info by navigating Microsoft's web site. But I admit I didn't study the web site very hard.
. . .
UPDATE: I realized I should change my password. I'm keeping the email they sent me so I can show anybody who asks. No point keeping my real password around in clear text after complaining that's a bad idea.
Here is that email. It begins, "Thank you for contacting us on Microsoft Office for Mac US Store." What kind of sentence is that? Between this sentence, the misspelled URL in the confirmation email, and the officeformac.com domain name, I wondered for a moment if I'd carelessly made my purchase through a hacker site. But no, microsoft.com links to officeformac.com.
I really doubt that they store your password in clear text. I am pretty sure they store encrypted password. And they also store the key to decrypt your password to get it in clear text. This is normal way to do it, otherwise how would they compare your password when you enter your password in clear text while logging in?