When AI Backfires: What We Can Learn from Asana’s Data Exposure Incident

On June 4, 2025, Asana confirmed a significant flaw in its Model Context Protocol (MCP) server, a tool designed to help users interact with AI more effectively across projects and teams. The problem wasn’t a breach or an external hack, but an internal logic bug that allowed some users to see sensitive information from other organizations.

And while Asana’s quick response helped limit the damage, the incident is a wake-up call. MCPs are new, fast-moving, and deeply integrated into how AI systems work behind the scenes. This won’t be the last issue we see.

Asana traced the issue to a flawed tenant isolation check in the MCP server. In short, users under specific conditions could unintentionally access project data, tasks, comments, and files from other organizations using the same MCP system. It wasn’t an attack, but the result was the same: data that should’ve been private ended up exposed.

Here’s how things played out:

• May 1: Asana launched the MCP server. The vulnerability was present from day one.

• June 4: The issue was discovered. Asana took the server offline immediately, investigated, and fixed the code.

• June 16: Affected customers, roughly 1,000 of them were notified.

• Ongoing: Asana is working to bring the server back online safely.  

While the exposure was limited to what users already had access to within their own organizations, cross-org data visibility meant the following types of information may have leaked:

• Task details

• Project metadata

• Team structure

• Comments and discussions

• Uploaded files

What You Should Do If You Use MCP or Similar Systems

‍

If your teams use AI context servers like Asana’s MCP, it’s a good idea to:

• Review logs for any cross-tenant or unauthorized access

• Audit AI-generated content that may have included unintended data

• Remove any data that doesn’t belong to your organization

• Temporarily pause automated reconnections until everything is verified

• Ask for a complete record of affected users and activity if your vendor supports it

Asana’s response was fast and transparent but this incident highlights a deeper truth: MCP systems introduce a new layer of security risk that many teams aren’t ready for yet. These context servers plug directly into AI workflows, with access to everything from tasks and files to tools and API keys. That’s a lot of power and a lot of exposure when something goes wrong.

To protect your organization from future incidents like Asana’s, keep these principles in mind:

• Limit scope aggressively. Don’t give tools or users more access than they need especially when using MCPs.

• Log everything. Every prompt, API call, and context request should be traceable.

• Treat internal bugs as critical incidents. Just because it wasn’t an attacker doesn’t mean the impact isn’t real.

MCPs are powerful, and they’re evolving fast sometimes faster than the security tools and policies meant to protect them. The Asana incident won’t be the last of its kind. The key is to get ahead of these risks now, while adoption is still growing.

Whether you're building MCP tools, integrating with them, or just trying to figure out how to use AI securely, take this as a clear sign: Context is power. And power needs guardrails.

Stay tuned. This space is moving quickly and so are the threats.

‍