Sensitive data including vaccination status for COVID-19, social security numbers and email addresses were exposed online due to weak default settings of Microsoft Power Apps, according to Upguard.
Upguard Research he revealed too many data leaks exposing 38 million archives through Microsoft Power Apps portals that are configured to allow public access.
Data breaches affect companies American Airlines, Microsoft, JB Hunt and the governments of Indiana, Maryland and New York.
UpGuard Research first discovered the ODdata API problem on a Power Apps portal on May 24 and submitted a vulnerability report to Microsoft on June 24.
According to Upguard, the primary problem is that all data types were public while some data, such as personal identification, would have to be private. Incorrect configuration has resulted in some very private data being displayed.
Microsoft Power Apps are tools for designing applications and creating public and private websites.