Close to 40 Million Records Leaked Through Poor Power Apps Settings

Security researchers discovered that around 38 million data records have been exposed online. The data leak was caused by poorly configured instances of Microsoft Power Apps. The leaked data includes Covid vaccination information, emails and social security numbers.

Wired reports that data stored by large companies has been exposed online. The names of entities that were leaking records due to the configuration issues include NY city public schools, the health department of the state of Indiana, as well as American Airlines and vehicle manufacturer Ford.

The leak was discovered by researchers working with security firm Upguard, who started their investigation a few months ago. The ultimate result was that the leaky data, while supposedly secured, was publicly accessible to anyone on the internet.

The issue was caused by the fact that Power App APIs make data collected using the API public when using the default settings. If the owner of the respective app portal wants to have this information properly secured, they would need to reconfigure the API and app used to make the data secure and private.

Researchers involved in the investigation notified Microsoft about the issue, sending links to the specific Power App portals that were leaking data. Somewhat confusingly, after a brief exchange with Microsoft, researchers were told that the issue was resolved, as this behavior was deemed to be "by design".

Upguard researchers then went on to contact individual companies and entities that were affected by the default configuration issue. Within a few days the vast majority of leaking instances of Power Apps were secured properly and the issue was indeed resolved.

Microsoft did come out with a statement that now anyone using the Power Apps portals will have their collected data secured and set to private by default. Additionally, the software company released a special tool, designed to help customers check the privacy of Power Apps data easily.

There is no information or evidence that the leaking data has been scraped or otherwise abused by malicious actors so far.

The incident has not led to anything close to a data disaster, but it still shows that even a simple oversight and trusting the default settings in a tool you are not entirely familiar with may lead to potential risks and data security issues.

By Zaib
August 25, 2021
Computer Security
English
August 25, 2021
Computer Security

Popular Posts

As Fears of the Coronavirus Pandemic Spread, So Does...

4 years ago

Microsoft Warns State-Backed Threat Actors Are Using AI in...

4 days ago

Trojan Al11 Malware Detection & Removal - An Essential...

11 months ago

Pinaview is a Fully-Featured Adware App

10 months ago

"Your iCloud is Being Hacked" and "Your iPhone has Been...

7 months ago

What is Lucky Ransomware?

7 months ago

Related Posts

Computer Security

Hackers Are Selling 8.3 Million 123RF User Records

Stock imagery website 123RF dot com suffered a cyber attack in mid-November 2020. According to reports, around 8.3 million user records were stolen by bad actors and have now been put up for sale. 123RF is one of the... Read more

November 20, 2020
Password Security

Password Mismanagement Leads to the Leak of 243 Million Health Records

Another stunning security incident has exposed the personal information and health records of nearly a quarter of a billion Brazilians. The leak was reported by a Brazilian publication in early December 2020. The full... Read more

December 23, 2020
News

218 Million Records Have Allegedly Been Stolen from Zynga

On September 12, mobile and social media game developer Zynga announced that it had suffered a data breach. Zynga, as some of you probably know, is the creator of hit games like FarmVille, Mafia Wars, and Zynga Poker.... Read more

September 30, 2019
English
Loading...

Cyclonis Backup Details & Terms

The Free Basic Cyclonis Backup plan gives you 2 GB of cloud storage space with full functionality! No credit card required. Need more storage space? Purchase a larger Cyclonis Backup plan today! To learn more about our policies and pricing, see Terms of Service, Privacy Policy, Discount Terms and Purchase Page. If you wish to uninstall the app, please visit the Uninstallation Instructions page.

Cyclonis Password Manager Details & Terms

FREE Trial: 30-Day One-Time Offer! No credit card required for Free Trial. Full functionality for the length of the Free Trial. (Full functionality after Free Trial requires subscription purchase.) To learn more about our policies and pricing, see EULA, Privacy Policy, Discount Terms and Purchase Page. If you wish to uninstall the app, please visit the Uninstallation Instructions page.

Home

Products

Cyclonis Backup Cyclonis Password Manager Cyclonis World Time

Support

Help Files FAQs Downloads Inquiries & Support

Company

About Us Contact Us Report Abuse

Legal (Post Merger)

EnigmaSoft Limited (fka Cyclonis Limited)

Cyclonis Backup's Terms of Service Cyclonis Password Manager's EULA Cyclonis World Time's Terms of Service Privacy Policy Cookie Policy Special Discount Offer Terms Additional Terms & Conditions SpyHunter EULA RegHunter EULA EnigmaSoft Privacy Policy & Cookie Policy ESG Privacy Policy & Cookie Policy EnigmaSoft Discount Offer Terms ESG Discount Offer Terms

© 2017-2024 Cyclonis Ltd. CYCLONIS is a trademark of EnigmaSoft Limited (Cyclonis was merged into EnigmaSoft Limited effective November 25, 2023.) All rights reserved.

Registered Office EnigmaSoft Limited: 1 Castle Street, 3rd Floor, Dublin 2 D02 XD82, Ireland.
EnigmaSoft Limited, Private Company Limited by shares, Company Registration Number 597114.

Windows is a trademark of Microsoft, registered in the U.S. and other countries.
Mac, iPhone, iPad and App Store are trademarks of Apple Inc., registered in the U.S. and other countries.
iOS is a registered trademark of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.
Android and Google Play are trademarks of Google LLC.