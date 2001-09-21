On Aug. 26, Microsoft notified several thousand of its cloud customers affected by the issue via email. In the message, the company warns its customers that attackers had the ability to read, modify and even delete all of the main databases. Luttwak managed to gain access to primary read-write keys, which he used to gain full access to customer databases. Because Microsoft could not change these keys itself, the company asked its customers to take action and exchange this primary key of CosmosDB as a precaution. Although the security hole has already been closed, customers should take this step to finally prevent a possible compromise of the databases. Microsoft further writes in the message that they have found no evidence that third parties (with the exception of Wiz) have accessed the keys.

[...] The U.S. Department of Homeland Security's Cybersecurity and Infrastructure Security Agency used stronger language in a bulletin, making clear it was speaking not just to those customers that had been notified, but to everyone using Azure Cosmos DB:

"CISA strongly encourages Azure Cosmos DB customers to roll and regenerate their certificate key".

[...] Luttwak said: "This is the worst cloud vulnerability you can imagine. This is the central database of Azure, and we were able to get access to any customer database that we wanted."

For European Azure cloud customers who have personal data stored in a Cosmos DB instance, there is also the question of whether a precautionary GDPR notification must be sent to the responsible data protection authorities within 72 hours due to a possible security incident.

[...] The hack of Miscrosoft's Azure database shows once again that encryption is the best tool we have to fend off malicious attackers and to keep our data safe.

When data is stored in the cloud, the only way to properly protect this data is end-to-end encryption - free from any kind of backdoor.