Web app data leaked: 38M records exposed, including vaccination statuses
Do you know how many websites store your personal information? Think about all the accounts you have. Many of them store user information using third-party software and servers. And hackers remain a constant threat of stealing your data.
Not satisfied with going after the general population, they target the biggest companies, plus the government and military. If you have information on a cyberattack in the U.S. under the direction of a foreign government, you can collect a huge reward from the State Department. Tap or click here for details on the program.
There’s always a chance for things to go wrong and data to be leaked even without the intervention of bad actors. One such case is the recent discovery of exposed records from 1,000 web apps that utilize Microsoft’s Power Apps platform. Keep reading to find out the risks and ways to see if you’re data was leaked.
Here’s the backstory
On May 24, 2021, a security researcher with UpGuard discovered accessible list data that included personally identifiable information in a Power Apps portal that should have been private.
The owner of the application was notified and the list was secured. But researchers looked further into the matter to discover that other portals also had this exposure: more than a thousand anonymously accessible lists across a few hundred portals.
Power Apps is a service that simplifies the process of making apps using collected data and provides application programming interfaces (APIs). Researchers at UpGuard found that when users enabled the APIs, Power Apps made the users’ data public by default.
UpGuard submitted a vulnerability report to the Microsoft Security Resource Center on June 24, and the investigation began the same day. The firm then notified more companies of the problem and raised an abuse report with Microsoft. By July 19, the flaw was mostly resolved.
Among the affected sites, entities and companies were:
- Governmental bodies used Power Apps to track COVID-19 tracing or vaccination and had a portal with job applicant data including Social Security numbers.
- Among the sites with exposed data was American Airlines, which had hundreds of thousands of records including names, phone numbers and email addresses.
- The data collected from Ford had more than 100,000 records including names, titles and phone numbers in addition to email addresses.
- J.B. Hunt had nearly a million records with fields for names, email addresses and phone numbers. Among them were also Social Security numbers as well as 50,000 records containing drug screening information.
- COVID-19 information for Denton County, Texas, the New York City Municipal Transportation Authority, NYC Schools and the state of Indiana was exposed.
- A total of 38 million records were exposed across all the portals.
Check up on your data
Though the issue has been resolved and there’s no indication that the data was exploited before it was discovered, this is still a scary situation.
5 essential downloads every Mac user needs
It’s been said that Mac users are a spoiled bunch, and it’s hard to disagree. Compared to PCs, which tend to come packed with bloatware and useless apps, the programs baked into MacOS are often simple and expertly designed.