Microsoft forced to notify 3000 companies using Azure that their data could be read by anyone for over 2 years

Reading time icon 1 min. read


Readers help support MSpoweruser. We may get a commission if you buy through our links. Tooltip Icon

Read our disclosure page to find out how can you help MSPoweruser sustain the editorial team Read more

Microsoft Azure Cosmos DB

Moving to Azure was meant to make company data more secure, but it increasingly looks like it means hackers can slurp up private company data at will.

Reuters report that Microsoft has just been forced to notify over 3,000 organizations, including giants such as ExxonMobil, Walgreens, Coca Cola, Symantec, Zeiss, and Liberty Mutual Insurance, that any hacker could have read, modified or deleted data stored in their Azure Cosmos DB database for over 2 years now.

The vulnerability, dubbed “ChaosDB” was discovered by security company Wiz and involved a series of misconfiguration in the Jupiter  Notebook visualization feature that was automatically turned on in all installations of Cosmos DB.

Microsoft was informed of the issue on the 12th August and managed to remediate it by the 14th. Fortunately, there is no evidence that the flaw has actually been exploited in the wild.

Wiz, who recommends that all companies using Cosmos DB rotate and regenerate their primary access keys, was awarded $40,000 for their efforts.

via techspot

User forum

0 messages