Over one million CSV/JSON files with personal information of event registrants using Microsoft Teams, including phone numbers and email addresses, have been exposed to potential cybercriminals worldwide.

Security company Clario Tech, in partnership with cybersecurity researcher Bob Diachenko, discovered the exposure within EventBuilder, a virtual events integration tool for Microsoft products.

The data was stored on Microsoft Azure Blob Storage — Microsoft’s object storage solution for the cloud. The storage was partially public to host recorded sessions for link-only access. However, the webinars’ organizers inadvertently included registrants’ information in the blob, compromising the personal information of webinar attendees and potentially putting them in danger from cybercriminals across the globe.

“Eventbuilder is widely used by Microsoft and integrated with Teams,” says Diachenko. “So this data exposure is an interesting case study in how even the most advanced technology companies can expose themselves to data vulnerabilities.”

Over one million large-sized CSV/JSON files with Microsoft events registrants details and summaries, including:

  • Full names
  • Email addresses
  • Company names and position in a company
  • Phone numbers
  • Questionnaires answered

It is estimated that this exposure of personal information has impacted at least 100,000 people. Researchers say that anyone registered with EventBuilder should take the proper steps to protect their personal information, including installing credible cybersecurity software featuring identity protection and dark web monitoring.

Michael Isbitski, Technical Evangelist at Salt Security, a Palo Alto, Calif.-based provider of API security, says, “This incident is another case of general-purpose cloud storage not being secured appropriately by an application team. The security problem is the same as numerous other cloud data storage exposures. Engineering teams at EventBuilder did not properly secure sensitive information and protect it from public viewing. EventBuilder intended to make recorded webinar sessions available for public view; however, full registrant details, including many forms of PII, were also stored in public Azure Blob Storage instances and inadvertently exposed. The exact number of impacted users wasn’t given in the disclosure; however, the estimate is that hundreds of thousands of webinar attendees on the EventBuilder platform had their PII exposed.”

Isbitski explains, “The cloud providers equip organizations with functionality to report on and lock down their cloud data stores. Unfortunately, development and engineering teams don’t always consider cloud data storage’s misuse or abuse cases in application designs. This reality is sometimes a side effect of increasing pressure to deliver fast on new application functionality, and appropriate security controls are overlooked.”

Clario informed EventBuilder of the exposure earlier this summer, and EventBuilder has now fixed it. 

“This is an archetypal example of a SaaS provider not paying attention to permissions associated with cloud storage used to store customer information,” says Oliver Tavakoli, CTO at Vectra, a San Jose, Calif.-based AI cybersecurity company. “It is generally a bad idea to co-mingle data which is intended to be publicly available with data which should only be accessible to authenticated or privileged users as it requires discipline around maintaining fine-grained access control – which clearly did not happen in this case.”