Security researchers at Upguard and Wiz.io discovered in mid-2021 that Microsoft Power Apps portals had a default configuration that left internal data tables publicly accessible on the internet. Across 47 organisations — including American Airlines, Ford Motor Company, JB Hunt, the New York City Municipal Transportation Authority, the New York City Department of Education, Indiana’s state government, and various COVID-19 contact tracing programs — approximately 38 million records were exposed. Exposed data included COVID-19 vaccination status and contact tracing data, employee information, Social Security numbers, PII from job applications, and government benefit eligibility data. Microsoft was notified by UpGuard in late June 2021 and initially considered the exposures to be customer misconfigurations rather than a platform vulnerability. After pressure from security researchers and media attention, Microsoft changed the default setting to ‘private’ in August 2021 and added a new tool to help administrators identify and secure exposed tables. The incident highlighted how low-code/no-code platform defaults can create large-scale unintentional data exposures affecting multiple organizations sharing a common platform.