Microsoft has warned thousands of its cloud computing customers, including some of the world’s largest companies, that intruders could have the ability to read, change or even delete their main databases, according to a copy of the email and a cyber security researcher. The vulnerability is in Microsoft Azure’s flagship Cosmos DB database. A research team at security company Wiz discovered it was able to access keys that control access to databases held by thousands of companies. Wiz Chief Technology Officer Ami Luttwak is a former chief technology officer at Microsoft’s Cloud Security Group.
Because Microsoft cannot change those keys by itself, it emailed the customers on Thursday, telling them to create new ones. Microsoft agreed to pay Wiz $40,000 for finding the flaw and reporting it, according to an email it sent to Wiz.Microsoft also told routers that they have fixed this issue immediately to keep their customers safe and protected. They thanked the security researchers for working under coordinated vulnerability disclosure.
Microsoft’s email to customers said there was no evidence the flaw had been exploited. The company mentioned in a e-mail that they have no indication that external entities outside the researcher (Wiz) had access to the primary read-write key. The disclosure comes after months of bad security news for Microsoft. The company was breached by the same suspected Russian government hackers that infiltrated SolarWinds, who stole Microsoft source code. Then a wide number of hackers broke into Exchange email servers while a patch was being developed.