Data leak exposed 38 million records, including COVID-19 vaccination statuses

A Microsoft misconfiguration reportedly left data from more than 1,000 web apps in the open.

BeeBright via Getty Images

Around 38 million records from north of a thousand web apps that use Microsoft's Power Apps portals platform were left exposed online, according to researchers. The records are said to have included data from COVID-19 contact tracing efforts, vaccine registrations and employee databases, such as home addresses, phone numbers, social security numbers and vaccination status.

Data from some large companies and institutions was exposed in the incident, according to Wired, including American Airlines, Ford, the Indiana Department of Health and New York City public schools. The vulnerability has mostly been resolved.

Researchers from security company Upguard started looking into the issue in May. They found data from many Power Apps portals that was supposed to be private was available for anyone to access if they knew where to look.

The Power Apps service aims to make it easy for customers to make their own web and mobile apps. It offers application programming interfaces (APIs) for developers to use with the data they collect. However, Upguard found that using those APIs makes the data obtained through Power Apps Portals public by default, and manual reconfiguration was required to keep the information private.

Upguard says it sent a vulnerability report to the Microsoft Security Resource Center on June 24th, including links to Power Apps portals accounts on which sensitive data was exposed and steps to identify APIs that enabled anonymous access to data. Researchers worked with Microsoft to clarify how to reproduce the issue. However, an Microsoft analyst told the firm on June 29th that the case was closed and they “determined that this behavior is considered to be by design.”

Upguard then started notifying some of the affected companies and organizations, which moved to lock down their data. It raised an abuse report with Microsoft on July 15th. By July 19th, the company says that most of the data from the Power Apps portals in question, including the most sensitive information, had been made private.

Microsoft provided us with the following statement after this story was first published: "Our products provide customers flexibility and privacy features to design scalable solutions that meet a wide variety of needs. We take security and privacy seriously, and we encourage our customers to use best practices when configuring products in ways that best meet their privacy needs."

Earlier this month, Microsoft said Power Apps portals apps will keep data private by default when developers harness the APIs. In addition, it released a tool for developers to check their settings.

There's no indication as yet that any of the exposed data has been compromised. Among the most sensitive information that was left in the open were 332,000 email addresses and Microsoft employee IDs that are used for payroll, according to Upguard. The company also says that more than 39,000 records from portals related to Microsoft Mixed Reality were exposed, including users' names and email addresses.

The incident underscores the fact that a misconfiguration, no matter how seemingly minor, could lead to serious data breaches. That doesn't appear to be the case here, thankfully. Still, it goes to show that developers should probably triple check their settings, especially when plugging in an API they haven't designed themselves.

Update 8/23 3:45PM ET: Added a statement from Microsoft.

Update 8/23 4:30PM ET: Clarified that the issue concerned Power Apps portals, and not Power Apps as a whole.

This article contains affiliate links; if you click such a link and make a purchase, we may earn a commission.