Microsoft Power Apps Leak Data for 38 Million Users

  • By Dawna M. Roberts
  • Published: Oct 27, 2021
  • Last Updated: Mar 18, 2022

Microsoft is in the news again with another data leak researchers are calling a “flaw,” but the company denies any issue with the Power Apps platform.

What is Going On?

Microsoft Power Apps bug leaks data for 38 million customers with hundreds of misconfigured online portals exposed. According to Threatpost,

“Data leaked includes COVID-19 vaccination records, Social Security numbers and email addresses tied to American Airlines, Ford, Indiana Department of Health and New York City public schools.”

 

As described by Microsoft, Power Apps are a “suite of apps, services, and connectors, as well as a data platform, that provides a rapid development environment to build custom apps for your business needs.” Developers often use Power Apps and store information in the cloud during app development.

On Monday, UpGuard Research discovered that Microsoft’s Power Apps had inadvertently leaked data from 47 separate businesses. Researchers found 38 million leaked records. The issue was found to be a flaw in Power Apps “in the way it forced customers to configure their data as private or public.”

UpGuard discovered the problem in June and notified 47 companies of the danger of their exposed data. When UpGuard notified Microsoft, the company responded that it was “by-design behavior,” and not a flaw at all.

How Did Microsoft Respond?

Microsoft commented that they do not see the issue as a bug but simply a configuration issue that may need some customization down the road.

Microsoft Power Apps Leak Data

Data Breach Today reported that,

“Microsoft has now changed a default setting in Power Apps to make using the service more secure and less likely to inadvertently expose data. Prior to the change, the company had warned in its Power Apps documentation of the danger of unsecured configurations, but that apparently went unnoticed.”

 

What Was Found in the Leak?

According to Threatpost, threat researchers found the following information along with the data mentioned above.

American Airlines: A collection of 398,890 “contact” records, which included full names, job titles, phone numbers, and email addresses. A second “test” collection of data included 470,400 records, which included full names, job titles, phone numbers, and email addresses.

Denton County, TX: A total of 632,171 records spilled included vaccination types, appointment dates and times, employee IDs, full names, email addresses, phone numbers, and birth dates. “The list ‘contactVaccinationSet’ had 400,091 records with fields for full names and vaccination types, and ‘contacts’ had 253,844 records with full names and email addresses,” researchers wrote.

J.B. Hunt Transport Services: The transportation logistics firm made public 905,228 records that included customer full names, email addresses, physical addresses, and phone numbers. Over a quarter-million of the records also included the US Social Security numbers.

Microsoft’s own The Global Payroll Services Portal: Researchers found 332,000 records of Microsoft employees and contractors with their @microsoft.com email address, full name, and phone numbers that appear to be for personal use.”

In its public disclosure, UpGuard mentioned that,

“In cases like registration pages for COVID-19 vaccinations, there are data types that should be public, like the locations of vaccination sites and available appointment times, and sensitive data that should be private, like the personally identifying information of the people being vaccinated.”

 

The bottom line is the issue stems from the Open Data Protocol (OData) and PowerApps API. “If those configurations are not set, and the OData feed is enabled, anonymous users can access list data freely,” researchers wrote.

Threatpost explains that,

“More specifically, they focused on how data (such as personally identifiable information, or PII) is stored and formatted into “Table Permissions” for sharing – or not. The crux of the issue boiled down to configuration settings that instruct a PowerApps user to “set the Enable Table Permissions Boolean value on the list record to true.”

 

Note to Power Apps Users

Users of Microsoft’s PowerApps should be careful to set any data that contains personal information to private or risk exposure of it is publicly available online.

About the Author
IDStrong Logo

Related Articles

Instagram Vulnerability Allowed Hackers Access to Control Your Phone

Security experts Check Point Research discovered a critical vulnerability while examining Instagra ... Read More

Alien Malware Infects More than 226 Mobile Apps and Steals Bank Data

As reported on September 24, 2020, by ZDNet and ThreatPost, a new strain of malware named “A ... Read More

Universal Health Systems Hit by Ransomware Attack

Universal Health Systems (UHS), a Fortune 500 company owning more than 400 hospitals across the co ... Read More

Exchange Server Bug Exposes a Big Risk to Hackers

Months after Microsoft released a patch to fix a serious flaw in MS Exchange Server, more than 61% ... Read More

Clients’ Bank Data Exposed in Blackbaud Ransomware Attack

Blackbaud software was victim to a ransomware attack last May, and new information suggests that c ... Read More

Latest Articles

What is a Time-based One-time Password (TOTP)?

What is a Time-based One-time Password (TOTP)?

Authentication is the process that verifies the user's identity to control access to resources, prevent unauthorized users from gaining access to the system, and record user activities (to hold them accountable for their activities).

Corporate Fraud: Detection, Prevention, and the Role of Corporate Fraud Attorneys

Corporate Fraud: Detection, Prevention, and the Role of Corporate Fraud Attorneys

The growing scale of organizations and the more opportunities to push the boundaries have led to an upsurge in corporate fraud in recent years.

Is Upwork Legit and How To Protect Yourself?

Is Upwork Legit and How To Protect Yourself?

Doing business online has become simpler with the development of the Internet and mobile technologies. In general, both freelancers and clients benefit from the freelancing platforms.

Featured Articles

How to Buy a House with Bad Credit

How to Buy a House with Bad Credit

Buying your own home is the American Dream, but it might seem out of reach to those with bad credit. However, the good news is, if your credit is less than perfect, you do still have options and in most cases, can still buy a home.

How Secure Is Your Password? Tips to Improve Your Password Security

How Secure Is Your Password? Tips to Improve Your Password Security

Any good IT article on computers and network security will address the importance of strong, secure passwords. However, the challenge of good passwords is that most people have a hard time remembering them, so they use simple or obvious ones that pose a security risk.

Top 10 Senior Scams and How to Prevent Them

Top 10 Senior Scams and How to Prevent Them

Senior scams are becoming a major epidemic for two reasons. First, seniors often have a lot of money in the bank from a life of working hard and saving.

Notice

By proceeding with this scan, you agree to let IDStrong run a Free Scan of supplied parameters of your personal information and provide free preliminary findings in compliance with our Terms of Use and Privacy Notice. You consent to us using your provided information to complete the Free Scan and compare it against our records and breach databases or sources to provide your Free preliminary findings report.

Rest assured: IDStrong will not share your information with third parties or store your information beyond what is required to perform your scan and share your results.

Free Identity Threat Scan
Instantly Check if Your Personal Information is Exposed
All fields below are required
Please enter first name
Please enter last name
Please enter a city
Please select a state
Please enter an age
Please enter an email address
Close