It was recently reported that sensitive data have been exposed due to a misconfiguration in Microsoft Power Apps.

Indeed, around 38 million data records including COVID-19 vaccination statuses, social security numbers, and email addresses were leaked via Microsoft Power Apps portals configured to allow public access.

It was stated that the data exposed impacted American Airlines, Microsoft, J.B. Hunt as well as governments of Indiana, Maryland, and New York City. The issue was first discovered on May 24 and a vulnerability report was submitted to Microsoft on June 24. The misconfiguration is due to the fact that all data types were public when some should have definitely been private.

There is still no information on whether the issue has been fixed or not.