Written by Tonya Riley
Microsoft is warning customers from the Azure cloud platform about a software vulnerability that exposed data belonging to thousands of clients for about two years.
The bug would have allowed any Azure Cosmos DB user to read, write and delete another customer’s information without authorization, researchers found. Cosmos DB is used by thousands of organizations, including Coca Cola, Exxon Mobil and a number of other Fortune 500 companies. Microsoft has since solved the problem, the company said.
“We resolved this issue immediately to keep our customers safe and secure,”
There was no evidence that hackers or other outsiders exploited the vulnerability to gain access to customer data, according to the company.
Reuters first reported on the vulnerability, which was discovered by the Wiz research team.
Microsoft resolved the vulnerability within 48 hours of its release on August 12, but that vulnerability had been exploited since mid-2019, according to Wiz researchers. Microsoft notified about 30% of its clients about the data exposure, but researchers warn that the effects were probably more widespread.
“Every Cosmos DB customer should assume that they have been exposed,” wrote Wiz researchers.
Microsoft has asked customers to reset the keys to their accounts as a precaution, according to an email sent from the company to customers shared by a Wiz researcher.
Microsoft declined to say how many companies it notified of the potential breach.
Microsoft customers have experienced a number of high-effort vulnerabilities over the past year, at least two of which had to do with the Exchange email client.
On August 21, the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency issued an urgent warning that cybercriminals were actively exploiting a month-old vulnerability in Microsoft ProxyShell to attack the company’s servers and send ransomware.
In March, Microsoft attributed a hacking campaign with another Exchange exploit to Chinese hackers. The vulnerability was exploited by a second wave of attackers who used it to spread ransomware and retrieve thousands of victims.
The company was also hacked by Russian hackers as part of a month-long campaign that infiltrated at least nine US federal agencies.