Microsoft Power Apps data leak exposed 38m records – UpGuard

24 Aug 2021

Image: © piter2121/

A misconfiguration in Microsoft’s Power Apps may have compromised sensitive Covid-19 and employee info from public and private bodies.

Microsoft’s Power Apps portals exposed 38m personal information records across more than 1,000 web apps, researchers at cybersecurity firm UpGuard have found.

They said that multiple data leaks exposed sensitive information such as Covid-19 contact-tracing details, vaccination appointments, social security numbers, employee IDs and millions of names and email addresses from at least 47 government and private organisations.

This includes big names such as American Airlines, Ford, logistics company JB Hunt and Microsoft itself. Maryland Department of Health, New York City’s transportation authority and the government of Indiana were some of the public bodies affected.

Power Apps is Microsoft’s software solution to help developers design low-code and cloud-hosted business apps.

UpGuard said the leaks resulted from Power Apps portals, which provide a way to give both internal and external users secure access to an organisation’s data, being configured to allow public access.

‘It was wild’

While none of the data is known to have been compromised, UpGuard said its investigation highlights the importance of addressing the issue of misconfigured apps to prevent such data leaks from happening in the future.

“We found one of these [portals] that was misconfigured to expose data and we thought, we’ve never heard of this, is this a one-off thing or is this a systemic issue?” Greg Pollock, UpGuard’s vice-president of cyber research, told Wired.

“Because of the way the Power Apps portals product works, it’s very easy to quickly do a survey. And we discovered there are tonnes of these exposed. It was wild.”

UpGuard discovered the data leak in May and, after investigating further, informed Microsoft of the issue in June. It said Microsoft has since made changes to the portals to prevent any further leaks.

“Ultimately, Microsoft has done the best thing they can, which is to enable table permissions by default and provided tooling to help Power Apps users self-diagnose their portals,” UpGuard said in a post regarding the leaks.

“One potential learning for platform operators is to take ownership of misconfiguration issues sooner, rather than leave third-party researchers to identify and notify all instances of such misconfigurations.”

The Fastly outage earlier this year that led to major news and social media websites going offline was also likely due to a misconfiguration that spread swiftly through its systems.

Vish Gain is a journalist with Silicon Republic