A data breach within Microsoft Power Apps left 38 million records and dozens of organizations exposed online.
More than 1,000 web apps became accessible to anyone after a misconfiguration within Microsoft Power Apps, leading to the exposure of 38 million records which include information such as COVID-19 contact tracing, vaccination sign-ups, job applications, and employee databases, but also data like phone numbers, home addresses, and social security numbers.
Related | Facebook Data Breach: Did They Get Your Data?
Dozens of companies were affected by the breach, including large industry names such as American Airlines, Ford, the New York City public schools, and more.
The breach exposed data stored in Microsoft’s Power Apps portal service, a development platform that allows for the creation of web or mobile apps for external use. Microsoft Power Apps facilitates the management of internal databases, provides a foundation when developing apps, and offers ready-made APIs to interact with that data.
An investigation of Power Apps conducted back in May by UpGuard revealed that when enabling these APIs, the service defaulted to making the data publicly accessible and needed to be changed in the privacy settings by users manually.
As many of them did not enable this privacy configuration process, many customers left the insecure default setting on. Greg Pollock, UpGuard’s vice president of cyber research, said that “because of the way the Power Apps portals product works, it’s very easy to quickly do a survey. And we discovered there are tons of these exposed. It was wild.”
Thankfully in this particular instance, no data was compromised. Still, discovering this insecurity is important because it revealed the oversight in the Power Apps portals design, something Microsoft has since fixed due to customer pressure.
Since then, Microsoft has also changed the data setting on Power Apps portal apps to private by default.
The tech giant issued the following statement to Engadget: “Our products provide customers flexibility and privacy features to design scalable solutions that meet a wide variety of needs. We take security and privacy seriously, and we encourage our customers to use best practices when configuring products in ways that best meet their privacy needs.”
You might also like
More from Tech
Kim Kardashian And Beats Introduce Special Edition Fit Pro Earbuds
Kim Kardashian's special edition Beats Fit Pro are now available at Apple stores.The earbuds come in three neutral colors, Moon, …
Lyft Wants To Cash In On In-Car Digital Ads
Lyft announced the launch of Lyft Media, a new digital advertising business unit with the potential to add billions to …
Amazon Alexa Mimics The Voices Of Your Dead Relatives
Amazon is testing an experimental Alexa feature that allows it to mimic the voices of your dead relatives. Read that …
Adobe Announces Express Content Scheduler
Adobe has announced Adobe Express Content Scheduler, a new tool to help social media managers make, plan, preview, and publish …
Stripe Now Lets You Buy NFTs Without Having To Own Crypto
Stripe has unveiled a new suite of services that includes the ability to buy crypto and NFTs with fiat currencies.
Spotify’s Car Thing Is Now Officially Available In The US
The 4-inch touch and voice-controlled device is designed for older car models that lack dashboard touchscreen infotainment systems.
OpenSea Brings Verified Customer Service To Fight Discord Scammers
Leading NFT marketplace OpenSea has partnered with Metalink to gate out hacks on its Discord.
MultiNFT Launches New Token Ahead Of VR Concerts In Decentraland
$MNFT can soon be used to access MultiNFT's 24h Rage nightclub in Decentraland's iconic festival district, where it owns a …
Creators Of Shiba Inu Are Working On A Metaverse For The Meme
Developers of the meme coin have given us a glimpse of what the Shiba Inu metaverse world will look like …
