Microsoft Azure vulnerability exposed data of thousands of companies, potentially for years

News
By published

Researchers gained full access to data from Fortune 500 companies utilizing a flaw in Microsoft Azure.

Microsoft Azure Hero 4
Microsoft Azure Hero 4 (Image credit: Microsoft)

What you need to know

  • A vulnerability in Microsoft Azure left data from several Fortune 500 companies exposed.
  • It's believed that the vulnerability has been exploitable for several months and potentially years.
  • Microsoft has addressed the issue, though some organizations may need to take further action to mitigate the vulnerability.

Microsoft's Azure had a vulnerability that left data exposed, potentially for the last two years. The issue stems from a flaw in Microsoft's Azure Cosmos DB. The data of over 3,300 Azure customers could be accessed without restrictions by attackers that utilized the vulnerability.

Azure Cosmos DB is a database service for modern app development. Microsoft lists major customers of Azure Cosmos DB on its website, including Coca-Cola, Citrix, ExxonMobil, Liberty Mutual Insurance, and Albertsons-Safeway. Microsoft's Skype also uses Azure Cosmos DB.

Wiz discovered the vulnerability (via The Verge). Its chief technology officer, Ami Luttwak, said, "This is the worst cloud vulnerability you can imagine. This is the central database of Azure, and we were able to get access to any customer database that we wanted."

Latest Videos From

Microsoft added a feature called Jupyter Notebook to Cosmos DB in 2019. The feature lets people visualize data and create custom views. It was automatically enabled for all Cosmos DBs in February 2021. Due to a series of misconfigurations, Wiz was able to exploit Jupyter Notebook to gain privileged access to the primary keys of customers' Cosmos DBs. With the keys, Wiz gained full access to DBs with read, write, and delete permissions.

The issue was discovered two weeks ago, and Microsoft fixed it within 48 hours of Wiz reporting it. Because Microsoft can't change the primary access keys of customers, it had to tell customers to manually change keys, which mitigates exposure from the vulnerability.

Microsoft informed the 30% of its Cosmos DB customers that were affected by Wiz's research. Wiz believes that the vulnerability has been exploitable for at least several months, but that it could have been exploited for years.

While the security implications of the vulnerability are serious, Microsoft claims that there isn't evidence that it's been used by attackers to gain data. A statement from Microsoft to Bloomberg explains that "There is no evidence of this technique being exploited by malicious actors." Microsoft adds that it is "not aware of any customer data being accessed because of this vulnerability."

Wiz received $40,000 from Microsoft for discovering the vulnerability, according to Reuters.

Microsoft has had a series of security issues of late, including the PrintNightmare vulnerabilities and the attack on its Exchange servers.

Sean Endicott
Sean Endicott
News Writer

Sean Endicott is a News Writer at Windows Central, where he covers Windows 11, Surface hardware, Microsoft 365, AI, apps, and the broader PC ecosystem. Since joining the site in 2017, he has written well over a thousand articles across the Microsoft landscape, covering breaking news, analysis, and feature reporting.

He writes Windows Wrap, a weekly column covering the biggest stories in Windows and the PC industry, and what they mean for the platform going forward.

Before joining Windows Central full-time, Sean worked in journalism and media production after earning a First Class degree in Broadcast Journalism from Nottingham Trent University. Outside of tech, he is an award-winning American football coach based in Nottingham, England, and was named BAFCA Youth Coach of the Year in 2024.