Moving to Azure was meant to make company data more secure, but it increasingly looks like it means hackers can slurp up private company data at will.
Reuters report that Microsoft has just been forced to notify over 3,000 organizations, including giants such as ExxonMobil, Walgreens, Coca Cola, Symantec, Zeiss, and Liberty Mutual Insurance, that any hacker could have read, modified or deleted data stored in their Azure Cosmos DB database for over 2 years now.
The vulnerability, dubbed “ChaosDB” was discovered by security company Wiz and involved a series of misconfiguration in the Jupiter Notebook visualization feature that was automatically turned on in all installations of Cosmos DB.
Microsoft was informed of the issue on the 12th August and managed to remediate it by the 14th. Fortunately, there is no evidence that the flaw has actually been exploited in the wild.
Wiz, who recommends that all companies using Cosmos DB rotate and regenerate their primary access keys, was awarded $40,000 for their efforts.