Microsoft users had their data exposed without their permission, and the software's default permissions settings for its app-building tool is the one to blame for it.
Microsoft Exposed Data of Millions of Users
According to The Verge, the data of more than 38 million users were exposed online. The data included their full names, phone numbers, email addresses, social security numbers, and even their COVID-19 vaccination certifications.
These data were made public, and 47 companies, organizations, and government branches can access it via the Power Apps tool.
However, no evidence of the data being exploited or sold on the dark web, and the issue has now been resolved by Microsoft, according to The Sun.
The issue was discovered back in May by UpGuard, a security research team.
A recent blog post from the team and Wired report explained how organizations used the Power Apps tool to create apps with improper data permissions.
UpGuard's Vice President of cyber research, Greg Pollock, stated that they found one of the apps that was misconfigured to expose data and they said that they've never heard of it. He added that they didn't even know if what happened was a one-off or a systemic issue.
Pollock added that it is easy and quick to do a survey because of how the Power Apps portals product works. They discovered that there are a lot of the data were exposed.
What are Power Apps?
Power Apps allow companies to create simple apps and websites without formal coding experience.
The organizations named in the breach, including American Airlines, Ford, J.B Hunt, and state agencies in New York City, Indiana, and Maryland, were said to have used the site to collect data from users for different purposes, including organizing their vaccination effort.
Power Apps have tools that can quickly collate the data needed in these types of projects, but, by default, it leaves this information accessible to the public. This is what UpGuard discovered.
The mechanism of this data breach made experts think about when they should consider an issue as a software problem and consider it a user interface problem.
UpGuard reported that Microsoft believes it was not a problem with their system, but instead, it was the users' responsibility because they did not configure the apps' settings properly.
However, if you are making an app designed to be used by people with little coding experience, it is better to make things as safe as possible by default because it is the smart move to do.
According to Wired, Microsoft has now adjusted the settings to ensure this breach won't happen again.
Microsoft was also under fire for a data breach that affected 30,000 businesses and government agencies across the United States in March.
The data breach also affected small businesses, several towns, local governments, and cities. The breach was due to the vulnerabilities discovered in the Microsoft Exchange Server. The issue has since been fixed, although it was not addressed how it was done.
In 2020, the data of more than 250 million Microsoft users were exposed online.
Also, in 2016, Microsoft's LinkedIn users was affected by a data breach wherein 55,000 passwords were compromised.
Related Article: Microsoft Big Email China Hacked: How to Know if You're Affected, What to Do Next
This article is owned by Tech Times
Written by Sophie Webster