Microsoft Azure crash exposed data from thousands of customers

A serious vulnerability in Microsoft Azure has exposed data for thousands of cloud computing service customers, including some of the largest companies in the world. The failure was communicated to users of the platform by email sent this Thursday (26) by the giant from Redmond, according to Reuters.

In the message, the Windows owner informed customers that attackers would have the ability to read, modify, and delete data stored in Azure if they exploited the flaw. However, the company claims it has found no evidence of cyber attacks related to the error.

Responsible for the discovery, cybersecurity company Wiz called the bug in Microsoft Azure “the worst cloud vulnerability you can imagine”, revealing its existence since 2019. Experts from the Israeli firm have verified that it is possible to access any database on the service.

By exploiting the flaw, attackers could gain access to the database's primary keys.By exploiting the flaw, attackers could gain access to the database’s primary keys.Source: Wiz/Reproduction

The problem in question was in Cosmos DB, the platform’s main database, which received a new visualization tool two years ago, called Jupyter Notebook. This feature was automatically enabled for all Cosmos databases in February this year.

Customers must change access keys

According to Wiz, which received a $40,000 reward for the discovery, around 3,300 Microsoft Azure customers may have been impacted. Among them are companies like Coca-Cola, Citrix and ExxonMobil, which use Cosmos DB to manage large amounts of data in real time.

A Microsoft spokesman told the news agency that the problem was fixed immediately, shortly after the company was notified on August 12th. The company representative also said that “all customers are safe and protected”.

As Microsoft does not have the means to change the primary keys of each database, the company asked customers, in the email sent, to change the password manually, to prevent any unauthorized access.