Researchers who identified a significant security vulnerability in Microsoft Corp.’s Azure cloud platform’s primary databases on Saturday alerted all users, not just the 3,300 it noticed this week, to change their digital access keys.
Researchers at Wiz, a cloud security firm, revealed this month that they could have access to the primary digital keys for most users of the Cosmos DB database system, allowing them to steal, change, or destroy millions of records, as first reported by Reuters.
Wiz alerted Microsoft, which quickly fixed the configuration error that would have let any Cosmos user to easily access other customers’ databases, then notified some users to change their keys on Thursday.
Microsoft warned customers who had set up Cosmos access during the week-long research period in a blog post on Friday. It said that it discovered no evidence that any attackers had exploited the same vulnerability to get access to customer data.
Microsoft wrote “Our investigation shows no unauthorized access other than the researcher activity,”
“Notifications have been sent to all customers that could be potentially affected due to researcher activity,” It may have been referring to the possibility that Wiz’s technique had leaked.
It said “Though no customer data was accessed, it is recommended you regenerate your primary read-write keys,”
In a bulletin on Friday, the U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency used harsher wording, indicating that it was not only referring to individuals who had been alerted.