On 9 August 2021, Wiz.io security researchers discovered a critical vulnerability chain in Microsoft Azure Cosmos DB — Microsoft’s flagship globally distributed database service used by thousands of major companies. The researchers called it ‘ChaosDB.’ The vulnerability chain exploited a feature called Jupyter Notebook integrated into Cosmos DB, which allowed privilege escalation to gain access to other customers’ Cosmos DB primary keys, database contents, and connection strings — with no action required by the victim. An attacker with a Cosmos DB account could potentially access any other customer’s data. Microsoft was notified on 9 August 2021 and disabled the Jupyter Notebook feature within 48 hours. Microsoft sent notifications on 26 August 2021 to approximately 3,300 Azure customers whose primary keys may have been accessible — though the researchers noted the vulnerability had existed since at least 2019 and potentially could have been exploited by anyone with an Azure account during that two-year period. Microsoft offered a $40,000 bug bounty for the discovery. Microsoft stated it found no evidence that external parties had discovered or exploited the vulnerability. The case highlighted the severity of cloud provider vulnerabilities — where a single flaw in a shared platform can potentially expose all customers simultaneously — and the difficulty for customers to detect or prevent such exposures.