Microsoft Secures Bing App Server That Leaked 6.5TB Of User Search Queries And GPS Data For A Week

bing mobile
When it comes to troublesome data breaches, this one is pretty significant, and it comes from a surprising company. The company in question is Microsoft, which left one of its backend servers that runs the Bing mobile app wide open. As a result, over 6.5TB of log files were leaked into the internet that contained a treasure trove of user search data.

Inexplicably, Microsoft staffers left the Elasticsearch server online without any kind of password protection from September 10th through September 16th. This lapse in security by Microsoft was discovered by Ata Hakcil, who is a white hat hacker from the WizCase online security team.

The data that was exposed comes primarily from Microsoft's Bing mobile app, which is available for both Apple iOS and Google Android mobile devices. Given that our smartphones are with us at all times and that we use them to make all sorts of queries via search engines -- or in this case, search apps -- the amount and type of data that was leaked is extraordinary.

According to WizCase, these are the data entries that were exposed during that week-long security "fail" by Microsoft:

  • Search Terms in clear text, excluding the ones entered in private mode
  • Location Coordinates: If the location permission is enabled on the app, a precise location, within 500 meters, was included in the data set. While the coordinates exposed aren’t precise, they still give a relatively small perimeter of where the user is located. By simply copying them on Google Maps, it could be possible to use them to trace back to the owner of the phone.
  • The exact time the search was executed.
  • Firebase Notification Tokens
  • Coupon Data such as timestamps of when a coupon code was copied or auto-applied by the app and on which URL it was
  • A partial list of the URLs the users visited from the search results
  • Device (Phone or Tablet) model
  • Operating System
  • 3 separate unique ID numbers assigned to each user found in the data
    • ADID: Appears to be a unique ID for a Microsoft account
    • deviceID
    • devicehash 

As if the search queries and GPS location data wasn't bad enough, the fact that there were three types of identifiers assigned to individual users makes it relatively easy to track down individuals. WizCase discovered the open server on September 12th, and confirmed their finding to Microsoft on September 13th. However, it was not until three days later that Microsoft finally secured the server.

During that time, roughly 100 million records were obtained by hackers, and the server allegedly came under attack by hacker group Meow. WizCase says that the detailed information found could be used for blackmail (since search queries — including explicit ones — can be traced back to individuals) and phishing scams, among other crimes. In the case of search terms, the data obtained from the breach even showed search for child pornography along with the websites that they visited after performing such reprehensible searches.

Needless to say, if you performed a Bing search using the mobile app between September 10th and September 16th, your queries are likely to have been caught up in Microsoft’s week of carelessness.