Microsoft’s PowerApps platform has been leaking user data for years, and now it seems to be getting even worse. A new report from The Intercept shows that 38 million Microsoft users’ data has been leaked to a third party since the platform was first released in 2016. The leak comes as a surprise, as Microsoft has always been tight-lipped about the platform’s inner workings. However, it is not clear how this data got into the hands of a third party. It is possible that someone hacked into the platform or that someone stole user data from Microsoft itself. Microsoft has already announced that it is working on a fix for the issue. However, this will likely require users to sign up for new accounts or update their software in order to take advantage of the new features.
What Happened With Microsoft Power Apps?
Essentially, the Microsoft Power Apps platform defaulted to making data publicly accessible instead of keeping the data private by default, as discovered by Upguard and reported by Wired. Unfortunately, this meant that anyone looking to quickly get a web app up and running with these APIs would need to manually enable security, rather than the other way around.
“The UpGuard Research team can now disclose multiple data leaks resulting from Microsoft Power Apps portals configured to allow public access – a new vector of data exposure,” Upguard said in a blog post.
Microsoft Power Apps are used by a wide range of companies and government bodies. Because it’s quick and easy to get a website or app going, it was used quite frequently for COVID-19 tools such as contact tracing, vaccine sign-up forms, and so on. The platform was also popular for storing job application portals and employee databases.
These tools could contain sensitive user data, and a shocking number of them didn’t have the security measures turned on. That means data such as phone numbers, home addresses, social security numbers, and Covid-19 vaccination status were exposed to anyone who happened to be looking for them.
Just a few examples of organizations that this affected are American Airlines, Ford, J.B. Hunt, the Maryland Department of Health, the New York City Municipal Transportation Authority, and New York City public schools.
Is There a Fix?
Fortunately, the situation has already been addressed by Microsoft. The company has now made it so the default settings do not allow API data and other information to be publicly available. Instead, developers will need to enable this setting manually, which is probably how it should have been from day one.
There’s always going to be data that developers want public, so they’ll have to go through the extra step of making select data available rather than going through the extra effort to make it hidden. This is definitely a better way to go for people using these web apps, as it lets them rest assured that their private data is kept confidential. However, the damage is done in this case. We’ll need to wait for the fallout to see how bad it is.