Illustration by Alex Castro / The Verge
Default permissions settings in an app-building tool from Microsoft have been blamed for exposing the data of 38 million people online. Information including names, email addresses, phone numbers, social security numbers, and COVID-19 vaccination appointments was inadvertently made publicly accessible by 47 different companies and government entities using Microsoft’s Power Apps platform. There’s no evidence of the data being exploited, though, and the underlying issue has now been fixed by Microsoft.
The problem was originally discovered in May by security research team UpGuard. In a recent blog post from UpGuard and report from Wired, the company explains how organizations using Power Apps created apps with improper data permissions.