The personal information of hundreds of thousands of people, who attended online events have been accessible online due to a misconfiguration in the EventBuilder platform, a widely used event management tool that is designed for Microsoft Teams and other Microsoft products.
The data leak was discovered by security researcher Bob Diachenko and Clario Tech, a company that provides consumer security and privacy products.
Diachenko and Clario discovered an unprotected Microsoft Azure Blob storage containing thousands of large CSV and JSON files that stored Microsoft events registrants' details and summaries. The leaked personal info included full names, email addresses, company names and position in the company, phone numbers, questionnaires answered.
“The storage in question was supposed to be partially public, to host recorded sessions for link-only access. However, for some reason, the webinar organizers were putting registrant information into the blob. This meant it was open to indexing by a Public Bucket searcher (Grayhat Warfare), thus compromising their personal information and potentially putting them in danger of being targeted by hackers from across the globe,” Clario’s Andriy Slynchuk explained in a blog post.
“The estimated number of records leaked is unknown but based on the exposed file sizes, it could run into the hundreds of thousands.”
The researchers contacted EventBuilder about the data leak on June 10 and the issue was resolved on the same day.