Microsoft warns thousands of cloud customers of data vulnerability
The problem involved keys used to access Microsoft Azure’s flagship database service Cosmos DB, and was discovered two weeks ago by cybersecurity company Wiz.
“Imagine our surprise when we were able to gain complete unrestricted access to the accounts and databases of several thousand Microsoft Azure customers, including many Fortune 500 companies,” Wiz said on its blog Thursday.
Companies including Coca-Cola and Exxon-Mobil use Cosmos DB “to manage massive volumes of data around the world in real time,” Wiz added.
The cloud service is used to store data, as well as to analyze and process everything from orders from suppliers to transactions with consumers.
According to Microsoft, customers who may have been impacted were notified, but there was no evidence the flaw had been exploited by malicious actors.
“We fixed this issue immediately to keep our customers safe and protected,” a Microsoft spokesperson told AFP.
Microsoft told more than 30 percent of Cosmos DB customers that they needed to change their access keys, according to Wiz.
But the cybersecurity firm warned others could be at risk.
“Microsoft only emailed customers that were affected during our short (approximately weeklong) research period,” Wiz said. “However… the vulnerability has been exploitable for at least several months, possibly years.”
Microsoft is one of the world’s biggest cloud service providers, behind Amazon. Demand has skyrocketed during the COVID-19 pandemic with the growth of working from home and reliance on digital services for things like entertainment and shopping.
The US tech company has recently suffered a series of security issues.
Earlier this year, Microsoft disclosed that a state-sponsored hacking group operating out of China was exploiting security flaws in its Exchange email services, a potentially devastating hack believed to have affected at least 30,000 Microsoft email servers in government and private networks.
The company was then also attacked by the suspected Russian group behind the 2020 hack of the SolarWinds software company.
This week, tech bosses including from Microsoft, met with US President Joe Biden to discuss ways to fight ransomware attacks and defend cloud computing systems from hackers.