Microsoft is warning customers of its Azure cloud platform about a software vulnerability that exposed data belonging to thousands of clients for roughly two years.
The flaw would have allowed any Azure Cosmos DB user to read, write and delete another customer’s information without authorization, researchers found. Cosmos DB is used by thousands of organizations, including Coca Cola, Exxon Mobil and a number of other Fortune 500 companies. Microsoft has since resolved the issue, the company said.
“We fixed this issue immediately to keep our customers safe and protected,” a Microsoft spokesperson told CyberScoop.
There was no evidence that hackers or any other outsider exploited the vulnerability to access customer data, according to the company.
Reuters first reported on the vulnerability, which was discovered by Wiz research team.
Microsoft fixed the vulnerability within 48 hours of its disclosure on August 12, but that the vulnerability had been exploitable since mid-2019, according to Wiz researchers. Microsoft notified roughly over 30% of its clients about the data exposure, but researchers warn that the effects were likely more widespread.
“Every Cosmos DB customer should assume they’ve been exposed,” Wiz researchers wrote.
Microsoft has asked customers to reset keys to their accounts as a precautionary measure, according to an email sent from the company to customers shared by a Wiz researcher.
Microsoft declined to share how many companies it notified about the potential breach.
Microsoft customers have endured a series of high-stakes vulnerabilities in the past year, at least two of which had to do with its email client Exchange.
The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency on August 21 issued an urgent warning that cybercriminals were actively exploiting a months-old vulnerability in Microsoft ProxyShell to attack company servers and send ransomware.
In March, Microsoft attributed a hacking campaign using a different Exchange exploit to Chinese hackers. The vulnerability was exploited by a second wave of attackers who used it to spread ransomware and rack up thousands of victims.
The company was also breached by Russian hackers as a part of a months-long campaign that infiltrated at least nine U.S. federal agencies.