38M sensitive Microsoft Power App data accidentally exposed; 47 organisations affected

In a major security breach, about 38 million stored data on a Microsoft server was accidentally leaked this year. The breach was identified by a security firm UpGuard on Monday. "The UpGuard Research team can now disclose multiple data leaks resulting from Microsoft Power Apps portals configured to allow public access - a new vector of data exposure," the UpGuard team wrote in a statement. 

On May 24 2021, UpGuard analyst first discovered that "the OData API for a Power Apps portal had anonymously accessible list data including personally identifiable information," a statement from the team said. On June 24, UpGuard submitted a "vulnerability report to the Microsoft Security Resource Center." The report enlisted the steps to "identify OData feeds that allowed anonymous access to list data and URLs for accounts that were exposing sensitive data." 

47 institutions affected due to the security breach

The exposed data included crucial information like Covid-19 vaccination records, financial information, millions of names, addresses, contact tracing, appointments, job IDs and passwords. As many as 47 institutions were affected as a result of the security breach, UpGuard informed. "UpGuard notified 47 entities of exposures involving personal information, including governmental bodies like Indiana, Maryland, and New York City, and private companies like American Airlines, J.B. Hunt, and Microsoft," the security firm added in its statement. 

As per reports, the affected institutions were all Microsoft Power Apps that allowed the creation of apps to interact with the public. The security firm added, "Product documentation for Power Apps describes the conditions under which OData APIs can be made publicly accessible, and the main Power Apps marketing page lists the ability to access “your data either anonymously or through commercial authentication” as one of the top features." 

According to UpGuard, "The number of accounts exposing sensitive information, however, indicates that the risk of this feature– the likelihood and impact of its misconfiguration– has not been adequately appreciated." However, Microsoft has confirmed making necessary changes in the Power App portals. It had also let the clients know about the security breach the moment they noticed the lapse. Additionally, they informed that the security risks were uncovered so that the clients could fix the problems themselves. 

(With inputs from @UpGuard/Twitter)
(Image: Unsplash/representative)