Microsoft forced to notify 3000 companies using Azure that their data could be read by anyone for over 2 years

by Surur
August 27, 2021
Microsoft Azure Cosmos DB

Moving to Azure was meant to make company data more secure, but it increasingly looks like it means hackers can slurp up private company data at will.

Reuters report that Microsoft has just been forced to notify over 3,000 organizations, including giants such as ExxonMobil, Walgreens, Coca Cola, Symantec, Zeiss, and Liberty Mutual Insurance, that any hacker could have read, modified or deleted data stored in their Azure Cosmos DB database for over 2 years now.

The vulnerability, dubbed “ChaosDB” was discovered by security company Wiz and involved a series of misconfiguration in the Jupiter ┬áNotebook visualization feature that was automatically turned on in all installations of Cosmos DB.

YouTube player

Microsoft was informed of the issue on the 12th August and managed to remediate it by the 14th. Fortunately, there is no evidence that the flaw has actually been exploited in the wild.

Wiz, who recommends that all companies using Cosmos DB rotate and regenerate their primary access keys, was awarded $40,000 for their efforts.

via techspot

Leave a Reply

Your email address will not be published. Required fields are marked

{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}