Skip to Content
© Jan Stolarik | Dreamstime.com
Security & privacy

Web app data leaked: 38M records exposed, including vaccination statuses

Do you know how many websites store your personal information? Think about all the accounts you have. Many of them store user information using third-party software and servers. And hackers remain a constant threat of stealing your data.

Not satisfied with going after the general population, they target the biggest companies, plus the government and military. If you have information on a cyberattack in the U.S. under the direction of a foreign government, you can collect a huge reward from the State Department. Tap or click here for details on the program.

There’s always a chance for things to go wrong and data to be leaked even without the intervention of bad actors. One such case is the recent discovery of exposed records from 1,000 web apps that utilize Microsoft’s Power Apps platform. Keep reading to find out the risks and ways to see if you’re data was leaked.

Here’s the backstory

On May 24, 2021, a security researcher with UpGuard discovered accessible list data that included personally identifiable information in a Power Apps portal that should have been private.

The owner of the application was notified and the list was secured. But researchers looked further into the matter to discover that other portals also had this exposure: more than a thousand anonymously accessible lists across a few hundred portals.

Power Apps is a service that simplifies the process of making apps using collected data and provides application programming interfaces (APIs). Researchers at UpGuard found that when users enabled the APIs, Power Apps made the users’ data public by default.

UpGuard submitted a vulnerability report to the Microsoft Security Resource Center on June 24, and the investigation began the same day. The firm then notified more companies of the problem and raised an abuse report with Microsoft. By July 19, the flaw was mostly resolved.

Among the affected sites, entities and companies were:

  • Governmental bodies used Power Apps to track COVID-19 tracing or vaccination and had a portal with job applicant data including Social Security numbers.
  • Among the sites with exposed data was American Airlines, which had hundreds of thousands of records including names, phone numbers and email addresses.
  • The data collected from Ford had more than 100,000 records including names, titles and phone numbers in addition to email addresses.
  • J.B. Hunt had nearly a million records with fields for names, email addresses and phone numbers. Among them were also Social Security numbers as well as 50,000 records containing drug screening information.
  • COVID-19 information for Denton County, Texas, the New York City Municipal Transportation Authority, NYC Schools and the state of Indiana was exposed.
  • A total of 38 million records were exposed across all the portals.

Check up on your data

Though the issue has been resolved and there’s no indication that the data was exploited before it was discovered, this is still a scary situation.

You can check if your data has been exposed by using HaveIBeenPwned. Go to the site and enter your email address or phone number, then hit the pwned? button. It’s a tool that shows if your information has been compromised. Tap or click here for more details on how to use this helpful tool.

Keep reading

A wireless carrier was just hit by a data breach – Check your email

Another Facebook data breach? New database to check for your number

Komando Community background

Join the Komando Community!

Get even more digital know-how and entertainment within the Komando Community! Watch or listen to The Kim Komando Show on your schedule, read Kim's eBooks for free, and get answers in the Tech Forum.

Join Now