News

6.5TB of Microsoft Bing user data potentially leaked online

A server containing user data was left unprotected in the first week of September, researchers say

24 Sep 2020

The mobile app for Microsoft's Bing search engine

Approximately 6.5TB of Microsoft Bing user data may have been left exposed online for two days after an Elasticsearch sever was left unsecured and open to the internet.

Data relating to search queries, device details, and GPS coordinates were found in a database by online security site WizCase, which was then able to trace the server back to Bing's mobile app.

The server was said to be growing by as much as 200GB per day while exposed, according to Ata Hakcil, a white hat hacker who also served as lead investigator for the website.

A link between the server and Bing was eventually found after researchers ran a search query for "WizCase" on the Bing mobile app and then paired the query data with that held on the server.

Exposed data included search terms in clear text, search times, locations, notification tokens, a partial list of URLs users visited from their search results, device models they used, their operating systems and three separate ID numbers (ADID, deviceID and devicehash) assigned to each user.

The server is believed to have been password protected until around the 10th September, with the server eventually being discovered by the WizCase team two days later. By the 16th September, Microsoft had been alerted and had encrypted the server once more.

The team believes that anyone who had used Bing's mobile app for internet searches between the 10th and 16th September may have had their data leaked online.

Researchers also believe that during this period the database was subject to what's known as a "meow" attack – an automated attack that targets unsecured Elasticsearch servers and destroys huge volumes of data without explanation or reason.