New Threat Research: Uncovering Adversarial LDAP Tradecraft

Read Threat Research


Nearly 38 Million Records Exposed Through Misconfigured Databases

Security firm Upguard has confirmed that they discovered numerous caches of data belonging to various high-profile companies. The information was stored on Microsoft’s Power Apps portal which is a platform that allows easy creation of a site while also managing data on the backend. Although they’ve already been addressed, the exposure affected American Airlines, Ford, the transportation and logistics company J.B. Hunt, the Maryland Department of Health, the New York City Municipal Transportation Authority, and New York City public schools. Information such as vaccination status, phone numbers, home addresses, and Social Security Numbers were available to view. Through further analysis Upguard researchers realized “when enabling these APIs, the platform defaulted to making the corresponding data publicly accessible. Enabling privacy settings was a manual process. As a result, many customers misconfigured their apps by leaving the insecure default,” stated Lil Hay Newman.

Analyst Notes

These incidents demonstrate that if companies that provide cloud storage and data management would make the default setting one that would automatically keep the data secure, issues like this would be greatly reduced. Microsoft has done this now and has made it easier for users of the Power Portal to check their configuration settings. It would be refreshing to see more platforms make this move in the future and hopefully cut down on the amount of data exposures. It is important for every company and individual using cloud hosting solutions to carefully check the settings for data availability and ensure that sensitive data is not exposed to the public.