Microsoft Leaked Bing Data Online Through An Unsecured Server

While data leak incidents via exposed servers aren’t uncommon, this time, the ignorant firm is a tech giant. Reportedly, Microsoft leaked Bing mobile app data via an unsecured server.

Microsoft Leaked Bing Data

A team of researchers from WizCase, headed by Ata Hakcil, found an unsecured Microsoft server that leaked Bing data. Specifically, the Elasticsearch server exposed details related to the Bing mobile app.

As discovered, the exposed data included various non-personal information about the users’ search queries. The researchers could even find their own details as they look up the data for “Wizcase”. The exposed information logged by the Bing mobile app included the following.

  • Search terms
  • Partial list of URLs that a user visited from the search results
  • Location with GPS coordinates
  • Device data including the type (phone/tablet) and model
  • Operating system
  • Time of search
  • 3 different unique identifiers for the users; ADID (Microsoft account unique ID), deviceID, and devicehash
  • Firebase Notification Tokens
  • Coupon data

Overall, the exposed data included details that belonged to the users from over 70 countries. Whereas, the 6.5TB unprotected server expanded at a rate of 200GB per day.

Details about these findings are available in the researchers’ blog post.

Microsoft Secured The Exposed Server

Upon discovering the leaky server on September 12, 2020, the researchers contacted Microsoft on September 13, 2020. Within three days, that is, on September 16, 2020, Microsoft secured the leaky server.

However, during the time it remained exposed, the researchers could witness cyberattacks on the server who even pilfered the data. Specifically, they could observe Meow attacks between September 10 and 12, 2020, and then on September 14, 2020.

While the database is now secured, these attacks still pose a risk of phishing, physical attacks (because of location), and more.

The researchers advise the users to use VPNs to protect their technical data from such logging.

Let us know your thoughts in the comments.

Related posts

Hard-Coded Credentials Vulnerability Found In Kubernetes Image Builder

Critical Vulnerability Patched In Jetpack WordPress Plugin

Astaroth Banking Malware Runs Actively Targets Users In Brazil