A data breach within Microsoft Power Apps left 38 million records and dozens of organizations exposed online.
More than 1,000 web apps became accessible to anyone after a misconfiguration within Microsoft Power Apps, leading to the exposure of 38 million records which include information such as COVID-19 contact tracing, vaccination sign-ups, job applications, and employee databases, but also data like phone numbers, home addresses, and social security numbers.
Related | Facebook Data Breach: Did They Get Your Data?
Dozens of companies were affected by the breach, including large industry names such as American Airlines, Ford, the New York City public schools, and more.
The breach exposed data stored in Microsoft’s Power Apps portal service, a development platform that allows for the creation of web or mobile apps for external use. Microsoft Power Apps facilitates the management of internal databases, provides a foundation when developing apps, and offers ready-made APIs to interact with that data.
An investigation of Power Apps conducted back in May by UpGuard revealed that when enabling these APIs, the service defaulted to making the data publicly accessible and needed to be changed in the privacy settings by users manually.
As many of them did not enable this privacy configuration process, many customers left the insecure default setting on. Greg Pollock, UpGuard’s vice president of cyber research, said that “because of the way the Power Apps portals product works, it’s very easy to quickly do a survey. And we discovered there are tons of these exposed. It was wild.”
Thankfully in this particular instance, no data was compromised. Still, discovering this insecurity is important because it revealed the oversight in the Power Apps portals design, something Microsoft has since fixed due to customer pressure.
Since then, Microsoft has also changed the data setting on Power Apps portal apps to private by default.
The tech giant issued the following statement to Engadget: “Our products provide customers flexibility and privacy features to design scalable solutions that meet a wide variety of needs. We take security and privacy seriously, and we encourage our customers to use best practices when configuring products in ways that best meet their privacy needs.”
You might also like
More from Tech
Alexa Is Going To Space On NASA’s Orion Spacecraft
Amazon and Lockheed Martin are sending Alexa into outer space as part of Callisto, a tech demonstration on NASA's upcoming …
China Pilots Digital Currency Wallet App Ahead Of Olympics
China test drives a wallet app for its new digital Yuan in 10 cities before rolling out the digital wallet …
Quentin Tarantino Insists On Pulp Fiction Script NFT Sale Despite Lawsuit
Taking advantage of legal loopholes in the copyright law regarding NFTs, Quentin Tarantino is minting his handwritten Pulp Fiction script.
OpenSea Announces $300M Series C Funding
Online NFT marketplace OpenSea announced it has secured $300 million in Series C funding, bringing its value to over $13 billion.
BTS Decide To Launch NFTs, Drawing Intense Criticism From Fans
BTS' agency Hybe announced that it will start developing NFTs for the band, despite outrage from fans over the technology's …
Eminem Joins The Bored Ape Yacht Club With $460K EminApe
Eminem is the latest celebrity to join the ranks of the BAYC, after purchasing an ape for $460K, on OpenSea.
Samsung Announces 2022 TVs With Integrated NFT Platform
New Samsung smart TVs will have a built-in, intuitive NFT platform that will let users browse and trade digital works …
Sony Teases New VR Headset And Controller For The PS5
Sony has confirmed its next-gen VR set will come with a VR2 Sense controller and plug into the PS5 with …
Searches For ‘NFT’ Surpass Those For ‘Crypto’
Internet users are more interested in NFTs than crypto, as the former went from anonymous to an almost $20B market …
