A data breach within Microsoft Power Apps left 38 million records and dozens of organizations exposed online.
More than 1,000 web apps became accessible to anyone after a misconfiguration within Microsoft Power Apps, leading to the exposure of 38 million records which include information such as COVID-19 contact tracing, vaccination sign-ups, job applications, and employee databases, but also data like phone numbers, home addresses, and social security numbers.
Related | Facebook Data Breach: Did They Get Your Data?
Dozens of companies were affected by the breach, including large industry names such as American Airlines, Ford, the New York City public schools, and more.
The breach exposed data stored in Microsoft’s Power Apps portal service, a development platform that allows for the creation of web or mobile apps for external use. Microsoft Power Apps facilitates the management of internal databases, provides a foundation when developing apps, and offers ready-made APIs to interact with that data.
An investigation of Power Apps conducted back in May by UpGuard revealed that when enabling these APIs, the service defaulted to making the data publicly accessible and needed to be changed in the privacy settings by users manually.
As many of them did not enable this privacy configuration process, many customers left the insecure default setting on. Greg Pollock, UpGuard’s vice president of cyber research, said that “because of the way the Power Apps portals product works, it’s very easy to quickly do a survey. And we discovered there are tons of these exposed. It was wild.”
Thankfully in this particular instance, no data was compromised. Still, discovering this insecurity is important because it revealed the oversight in the Power Apps portals design, something Microsoft has since fixed due to customer pressure.
Since then, Microsoft has also changed the data setting on Power Apps portal apps to private by default.
The tech giant issued the following statement to Engadget: “Our products provide customers flexibility and privacy features to design scalable solutions that meet a wide variety of needs. We take security and privacy seriously, and we encourage our customers to use best practices when configuring products in ways that best meet their privacy needs.”
You might also like
More from Tech
YouTube Is Testing AI-Generated Video Summaries
YouTube has recently started testing a new feature that automatically generates summaries of videos using AI.
Meta Prepares To Launch AI Personas To Retain And Engage Users
According to industry sources, Meta is preparing to launch its AI personas feature in an effort to increase engagement with …
Meta Launches ‘Meta Quest+’ VR Subscription For $7.99
The new Meta Quest subscription will give you access to the top titles on the device every month. It costs …
YouTube Is Adding AI-Powered Dubbing
YouTube is integrating the team from Aloud to help you dub your videos in other languages with the help of …
New VEED AI Tool Helps You Fix Your Gaze In Videos
How many times have you struggled to keep eye contact with a camera when filming a video and reading off …
Apple Will Automatically Assign You An Apple ID Passkey With iOS 17 And macOS Sonoma
Apple will automatically assign each user a passkey so they can log into Apple accounts without needing a password. Passkey allocation …
IKEA Used AI To Create A Couch That Can Fold Like An Envelope
A design lab affiliated with IKEA used AI to design a couch that only weighs 22 pounds and can fold …
5 Long-Awaited Features Apple Is Finally Bringing To The iPhone With iOS 17
At WWDC 2023, Apple introduced several new features that will come with the release of iOS 17. Here are the …
Leaked: Instagram Is Working On An AI Chatbot
Images leaked by app researcher Alessandra Paluzzi show that Instagram is working on an AI chatbot. According to the images shared …
