Following last week’s release of Microsoft’s preview version of Outlook for Android and a new version of Outlook for iOS, there have been mostly positive reviews popping up over the last few days, as well as Microsoft’s flattering statement that Outlook for iOS was already ahead of Gmail in the App Store charts.

The Verge went as far as to say that the “best Gmail app for the iPhone is now made by Microsoft”, while that opinion was also mirrored by The Times of India, who said in light of the Gmail app for iPhone being troublesome, “it took me just five minutes to decide to switch to Outlook and delete the Gmail app.”

The plaudits for the Outlook have been flowing in, and have mostly followed the same narrative: the app works flawlessly with Gmail (as well as other email providers); a search function that enables users to easily filter, schedule and archive emails is great; a calendar function that is accessible while you are in your inbox is useful; the ability to attach files via cloud storage facilities Dropbox, Google Drive and Microsoft’s One Drive enables better productivity.

On the whole, feedback on Outlook for mobile devices, a reincarnation of the acquired Francisco-based email application builder Acompli Inc., has been very impressive, and it looks like Microsoft’s cloud first, mobile first strategy could be tech history in the making. Although on the back of all the hand-clapping came a damning discovery by IBM developer René Winkelmeyer, who suggests we stop using the app immediately, calling it a “data security nightmare”.

Winkelmeyer states that the app has been pushed out too soon, alluding to the fact that it might have been better released as a preview. He writes, “I cannot believe that Microsoft has done what they’ve done.” His concerns are that the app “has built-in connectors to OneDrive, Dropbox and Google Drive”, adding that “It doesn’t matter if you’re using a containerized solution like the Apple built-in separation of managed and unmanaged apps. The same applies to every other container. The communication is app-internal and you cannot control that.”

Winkelmeyer extends his concerns saying that the app does not distinguish from one device to the other, meaning that the same ID will be used on your iPhone and iPad – another “security nightmare”, he says.

His greatest fear came when he disabled the app and then sent himself an email from another test account and although he had stopped the app he received push notifications. Upon further investigation he discovered the reason for this was that his email account was being scanned by an AWS IP address. This, he writes, “Means Microsoft stores my personal credentials and server data (luckily I’ve used my private test account and not my company account) somewhere in the cloud! They haven’t asked me. They just scan. So they have in theory full access to my PIM data.”

His advice: “Block them – Now.” You can follow his updates here.