Microsoft Power Apps misconfiguration exposes 38 million data records
According to reports from cybersecurity firm UpGuard, sensitive data including Covid-19 vaccination status, Social Security numbers, and email addresses have been exposed due to default configuration settings on Microsoft Power Apps. UpGaurd found that there were several different data leaks that, in total, exposed 38 million data records via Microsoft Power Apps portals that were accidentally configured to allow public access.
Additionally, the data leaks have impacted American Airlines, Microsoft, JB Hunt, and the governments of New York City, Maryland, and Indiana. UpGaurd first uncovered the issue on May 24 and submitted a vulnerability report to Microsoft a month later. The misconfiguration was first detected involving the OData API for a Power Apps portal. UpGaurd reported that the main issue is that all of the data types were public when some of the more sensitive data should have remained private. The misconfiguration issue led to some private and sensitive data being surfaced. The Power Apps are used to design and create public and private websites.