Thousands of Microsoft Customers Exposed Through Critical Cosmos Database Flaw

Edward Kost
Edward Kost
August 30, 2021

The cybersecurity spotlight hasn’t shifted from Microsoft for most of 2021. The latest in a string of critical security issues is a vulnerability in Microsoft Azure’s flagship Cosmos DB Database.

The exposure, discovered by security company Wiz, impacted thousands of customers hosting their data on the cloud solution, including Coca-Cola, Skype, and Rolls-Royce.

A series of flaws in a Cosmos DB feature allowed anyone to download, delete or manipulate mass collections of commercial databases with both read and write access to the underlying Cosmos DB architecture.

The principal flaw that opened this pathway is linked to a Jupyter Notebook feature used for data vizualization. A series of misconfigurations permitted privileged escalation into customer notebooks which could then lead to the discovery of each customer’s Cosmos DB primary key - allowing full read, write, and delete access to customer data.

Wiz reported the issue to Microsoft’s security team who then disabled the Juptyer feature within 48 hours. Because these primary keys cannot be changed by Microsoft, all impacted customers were urged to create new keys.

This exposure was remediated before it was discovered and exploited by cyber attackers, preventing a potentially catastrophic data breach.

On August 23, another customer database exposure was announced by the UpGuard research team. Faulty default permission settings in Microsoft’s Power Apps exposed 38 million user records including social security numbers, COVID-19 vaccination data, and job applicant data.

Earlier in August, CISA issued an urgent warning about three vulnerabilities facilitating remote code execution on Microsoft Exchange servers.

In July, a Windows print spooler remote code vulnerability, if exploited, would have allowed attackers to run arbitrary codes with system privileges to install malicious programs, delete data, or create new accounts with full user rights.

And in December 2020, Solarwinds hackers accessed Microsoft’s source code repositories for its Azure, Intune, and Exchange components.

These exposures highlight the complexity of securing a cloud environment. Because the transition to cloud technology is necessary to maintain a competitive advantage, the future of data security depends upon a reliable defense for this multiplex attack surface.

How secure is Microsoft?

Microsoft Corporation (, abbreviated as MS) is an American multinational technology company with headquarters in Redmond, Washington. It develops, manufactures, licenses, supports and sells computer software, consumer electronics, personal computers, and related services. Its best known software products are the Microsoft Windows line of operating systems, the Microsoft Office suite, and the Internet Explorer and Edge web browsers.
  • Check icon
    View our free preliminary report on Microsoft’s security posture
  • Check icon
    13 risk factors, including email security, SSL, DNS health, open ports and common vulnerabilities
Security ratings
Abstract shape
Deliver icon

Sign up for our newsletter

Stay up-to-date on everything UpGuard with our monthly newsletter, full of product updates, company highlights, free cybersecurity resources, and more.
UpGuard customer support teamUpGuard customer support teamUpGuard customer support team

Protect your organization

Get in touch or book a free demo.
Free instant security score

How secure is your organization?

Request a free cybersecurity report to discover key risks on your website, email, network, and brand.
  • Check icon
    Instant insights you can act on immediately
  • Check icon
    Hundreds of risk factors including email security, SSL, DNS health, open ports and common vulnerabilities
Website Security scan resultsWebsite Security scan rating