38M Records Exposed via Microsoft Power Apps Misconfiguration

Researchers have notified 47 public and private organizations of data exposure from Power Apps configured to allow public access.

The UpGuard research team has disclosed multiple data leaks stemming from Microsoft Power App portals configured to allow public access. A total of 38 million records have been exposed.
Power Apps are used to build low-code, cloud-hosted business intelligence apps, and Power Apps portals are used to create public websites so internal and external users can gain access to an organizations data. The issue UpGuard is reporting involves the Open Data Protocol (OData) API that is designed to retrieve data from Power Apps lists, used to expose records for display on portals.
In its documentation for Power Apps portals, Microsoft warns OData feeds are public if they are misconfigured. If the correct configurations are not set and the OData feed is enabled, then list data can be freely accessed by anonymous users.
Researchers discovered this is the case for many organizations data. On May 24, 2021, an UpGuard researcher found the OData API for a Power Apps portal had anonymously accessible list data, including personally identifiable information. A report was submitted to Microsoft on June 24.
UpGuard notified 47 organizations of exposures via the OData API involving personal data. Those affected include governmental bodies such as the state of Indiana, New York City Municipal Transportation Authority and NYC Schools, and the Maryland Department of Health, as well as private entities including American Airlines, Microsoft, and J.B. Hunt.
The types of exposed data vary depending on the portal but include personal data used for COVID-19 contact tracing, COVID-19 vaccination appointments, Social Security numbers for job applicants, employee IDs, and millions of names and email addresses.
Read UpGuards
full blog post
for more information.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
38M Records Exposed via Microsoft Power Apps Misconfiguration