Personal data of 38 million people has been exposed following a breach of Microsoft's Power Apps.
The data includes social security and phone numbers, COVID vaccination status and home addresses.
Companies affected by the breach include American Airlines, New York City public schools, Ford, the Maryland Department of Health, and the New York City Municipal Transportation Authority.
It was unclear how the breach happened, or who was responsible.
Researchers at cybersecurity firm UpGuard found the breaches in May. They do not think anyone's data has been fraudulently used, so far. Their findings were made public on Monday.
Microsoft's Power Apps have been affected by the breach, which saw the data of 38 million people exposed
Some of the data inadvertently made public included COVID vaccination status
The exposed data was all stored in Microsoft's Power Apps portal service, Wired reported.
Power Apps is a development platform that makes it easy to create web or mobile apps for external use.
If you need to spin up a vaccine appointment sign-up site quickly during, say, a pandemic, Power Apps portals can generate both the public-facing site and the data management backend.
'We found one of these that was misconfigured to expose data and we thought, we've never heard of this, is this a one-off thing or is this a systemic issue?' said Greg Pollock, UpGuard's vice president of cyber research.
'Because of the way the Power Apps portals product works, it's very easy to quickly do a survey.
'And we discovered there are tons of these exposed. It was wild.'
Microsoft has now made its Power Apps portals private by default
At the beginning of August, Microsoft announced that the Power Apps portals will now default to storing API data and other information privately.
Pollock said that the vast majority of the exposed portals, and all of the most sensitive ones, are now private.
'With other things we've worked on, it's public knowledge that cloud buckets can be misconfigured, so it's not incumbent on us to help secure all of them,' he told Wired.
'But no one had ever cleaned these up before, so we felt we had an ethical duty to secure at least the most sensitive ones before being able to talk about the systemic issues.'
Kenn White, director of the Open Crypto Audit Project, said it was a wakeup call for the industry as a whole.
'Secure default settings matter,' he told Wired.
'When a pattern emerges in web-facing systems built using a particular technology that continue to be misconfigured, something is very wrong.
'If developers from diverse industries and technical backgrounds continue to make the same missteps on a platform, the spotlight should be squarely on the builder of that platform.'
Also on Monday, T-Mobile confirmed its servers have been hacked - but refused to confirm claims 100 million customers personal data - including social security numbers and drivers licenses - are now for sale online.
The hack was first rumored on Sunday.
'We are aware of claims made in an underground forum and have been actively investigating their validity. We do not have any additional information to share at this time,' a T-Mobile spokesperson said in a statement on Sunday.
U.S.-based digital media outlet Vice first reported the claims of a data breach. The veracity of the hacker's claims could not be independently verified.
Post a Comment