Microsoft has suffered a cyber-security lapse when one of Bing’s backend servers was exposed online. Sensitive data of the search engine’s mobile application users, including search queries, device details, and GPS coordinates were exposed among others.
The logging database, however, does not include any personal details of the users such as names or addresses.
The data leak was discovered by a security researcher at WizCase, Ata Hakcil and it includes a massive 6.5TB cache of log files that was left accessible without any password, allowing cybercriminals to leverage the information for carrying out extortion and phishing scams.
The leaky server was identified as an Elasticsearch system and it is believed to have been password protected until September 10, and the authentication seems to have been removed afterwards. Over the past four years, Elasticsearch servers were the source of many accidental data leaks.
The findings were reported to Microsoft Security Response Center, and the tech giant fixed the misconfiguration on September 16.
According to WizCase’s Chase Williams, anyone who has made a Bing search with the mobile app while the server has been exposed might be at risk. They saw records of people searching from more than 70 countries.
Besides device and location details, the leaked data also included exact time the search was performed using the mobile app, a partial list of the URLs the users visited from the search results, and three unique identifiers, such as ADID (a numeric ID assigned by Microsoft Advertising to an ad), “deviceID”, and “devicehash.”
Even though the leaky server did not disclose the names and other personal information, the researcher warned that the data could be exploited for other wicked purposes. When a hacker has the search query, it is easy for him to find out the person’s identity and make them an easy target for blackmailing.